NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Restricting Insider Access through Efficient Implementation of Multi-Policy Access Control Systems

Published

Author(s)

Peter M. Mell, Serban I. Gavrila, James Shook

Abstract

The American National Standards Organization has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the legally authorized access of insiders. However, the specifications describe the required access control capabilities but not the related algorithms. Existing reference implementations have inefficient algorithms and thus do not fully express the NGAC's ability to scale. For example, the primary NGAC reference implementation took several minutes to simply display the set of files accessible to a user on a moderately sized system. To solve this problem we provide efficient algorithms, reducing the overall complexity from cubic to quadratic. Our other major contribution is to provide a novel mechanism for administrators and users to review allowed access rights. We provide an interface that appears to be a simple file directory hierarchy but in reality is an automatically generated structure abstracted from the underlying access control graph that works with any set of simultaneously instantiated access control policies. Our work thus provides the first efficient implementation of NGAC while enabling user privilege review through a novel visualization approach. It thereby enables the efficient simultaneous instantiation of multiple access control policies that is needed to best limit insider access to information (and thereby limit information leakage).
Proceedings Title
Proceedings of the 23rd ACM Conference on Computer and Communications Security
Conference Dates
October 24-28, 2016
Conference Location
Vienna
Conference Title
8th ACM Computer and Communications Security International Workshop on Managing Insider Security
Threats
Pub Type
Conferences

Download Paper

https://doi.org/10.1145/2995959.2995961

Keywords

access control, graph, algorithms, complexity, next generation access control, policy machine
Identity and access management

Citation

Mell, P. , Gavrila, S. and Shook, J. (2016), Restricting Insider Access through Efficient Implementation of Multi-Policy Access Control Systems, Proceedings of the 23rd ACM Conference on Computer and Communications Security, Vienna, -1, [online], https://doi.org/10.1145/2995959.2995961 (Accessed October 11, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created October 28, 2016, Updated November 10, 2018
Was this page helpful?