SUMMARYComputing facilities networked together but controlled by different administrations pose a problem of access control. Who decides who can use what?We specify a formal model for an access control system which allows users and services from different administrations to communicate with each other, while still allowing the administrators to retain control of their own parts of the network. The model, written in the Z specification language, has been developed as the access control system for ADMIRAL, though it is not specific to ADMIRAL. It provides a framework for administrators to build access control systems to meet their differing requirements.A system based on the model would allow users to log in to a distributed computing system and to make requests for services in any part of the system, without having to provide any more information about themselves. After this initial log in all subsequent access control decisions are handled automatically, and remain invisible to the user unless access is refused.We also discuss the experience we have had animating this model in Prolog.KEY WORDS Networks Access control Formal model Z specification Prolog
Objectives of the ModelIn a conventionally organized network, very little attention is paid to access control on a network-wide basis. Usually individual machines provide their own facilities. This can lead to frustration both for users and for administrators; users are continually faced with log-in prompts, and administrators have to control a multitude of tables on different machines. Most access control schemes designed for networks are based around a centralized service, or are controlled by a single administration. These fail to address the problems associated with access control in a multi-administration network. In such a network, several autonomous access control system (ACSs) have to interact.The model described here has been developed as the access control system for project ADMIRAL. ADMIRAL is a collaborative project supported by the Alvey programme, carrying out research into the use and management of high performance networks. An internet of linked networks, covering five industrial and academic sites, is being set up. The project is described in Reference 1.Our model is not specific to ADMIRAL, however. A system based on our model will have the following properties:1. Autonomous administrations can work with each other, but still retain control over their own facilities. 2. Users' access to services can be controlled, even when the user and the service fall under different administrations. This control is invisible to users, unless they try to access services not available to them.