CatBAC: A generic framework for designing and validating hybrid access control models

Many access control models have been proposed in the literature, and they have been extensively studied under the acronyms of DAC, MAC, RBAC, ABAC, etc. Each of these models has been studied in isolation, but some real-life situations need elements of several of them, in order to properly express data protection needs of complex organizations. A formal framework is presented, that allows not only to combine elements of these models, but also to generalize them in new ways. This framework includes elements of a lifecycle methodology, which starts with a UML-based formalism, called UACML, that expresses semantic elements (classes and their relationships) needed for general access control systems. It continues with the representation of UACML diagrams in our language CatBAC. The latter is a compact textual representation of UACML that makes it possible to express realistic policy systems involving many entities and many constraints. CatBAC is based on Prolog, and this makes it possible to implement analysis and verification tools.