Access control matrix
The access control matrix (ACM) is a foundational abstract model in computer security for representing and managing the protection state of a system, specifying which subjects are authorized to perform which operations on which objects.[1] Introduced by Butler W. Lampson in his 1974 paper "Protection," the model structures access rights in a matrix where rows represent subjects—such as users, processes, or domains—and columns represent objects, including files, memory segments, or other resources; each cell at the intersection contains a set of rights, such as read (r), write (w), execute (x), or ownership (o), indicating the permissions granted.[1] This framework enables precise modeling of discretionary access control policies, allowing system designers to define and enforce isolation, sharing, and modular protection in operating systems and beyond.[2][3] In practice, the ACM serves as a theoretical basis for implementing access control mechanisms, primarily through two complementary approaches: access control lists (ACLs) and capability lists. ACLs correspond to the columns of the matrix, attaching lists of authorized subjects and their rights directly to each object, which facilitates efficient authorization checks for object-oriented systems like file servers but can grow cumbersome with many subjects.[4][5] Conversely, capability lists represent the rows, providing subjects with unforgeable tokens (capabilities) that bundle object references with specific rights, enabling decentralized and fine-grained access in subject-centric environments, such as those supporting inter-process communication, though they require careful management to prevent capability leakage.[4][6] The model's flexibility also extends to analyzing system safety and policy enforcement via state transitions—defined by primitive operations like creating or deleting subjects/objects and entering/deleting rights—often formalized in extensions like the Harrison-Ruzzo-Ullman (HRU) model to determine whether unauthorized access can leak through command sequences.[2][7] Beyond its core structure, the ACM has influenced broader security paradigms, including role-based access control (RBAC) and attribute-based access control (ABAC), by providing a uniform way to abstract and compare policies across diverse systems, from traditional operating systems to modern cloud and distributed environments.[8][9] While the full matrix is rarely stored explicitly due to sparsity and scalability issues—favoring hybrid implementations—it remains a cornerstone for understanding protection principles, ensuring that access decisions align with confidentiality, integrity, and availability goals.[10][5]Fundamentals
Definition
An access control matrix is a conceptual model in computer security represented as a table, where rows correspond to subjects (such as users or processes), columns correspond to objects (such as files or resources), and the cells contain the set of access rights (such as read, write, or execute) granted to each subject for each object.[11] This structure captures authorizations through subject-object-right triples, where each triple specifies a particular permission, like allowing a subject to read a specific object.[3] The model originated in the 1970s from theoretical computer security research, first proposed by Butler W. Lampson in 1971 as a framework for protection mechanisms in operating systems.[12] Lampson's work generalized access control to handle resource sharing systematically, laying the foundation for analyzing protection states and transitions.[3] As a core element of discretionary access control (DAC), the access control matrix enables resource owners to specify and delegate access rights flexibly based on their discretion.[3] This contrasts with mandatory access control (MAC), which relies on system-enforced security labels and clearances rather than owner-defined triples, emphasizing centralized policy over individual control.[3]Components
The access control matrix model defines subjects as the active entities responsible for initiating access requests within a system. These subjects typically encompass users, processes, or groups that operate on behalf of users, enabling the enforcement of protection policies by specifying what actions they may perform.[12][13] Objects represent the passive entities targeted by access requests, serving as the resources that require protection. Common examples include files, devices, data structures, segments, and terminals, each assigned unique identifiers by the protection mechanism to facilitate controlled interactions.[12][13] Rights denote the specific permissions granted to subjects over objects, captured as sets of access attributes within the matrix. Standard rights often include read (r) for retrieving information, write (w) for modifying content, execute (x) for running code, own for controlling access modifications, and delete for removing the object, with these typically symbolized or enumerated to reflect the allowed operations.[12][13][14] Entries without specified rights, such as empty cells or null values, explicitly indicate the absence of access, ensuring that no permissions are implicitly granted and thereby upholding the principle of least privilege in the protection state.[12][13]Representations
Matrix Structure
The access control matrix is organized as a two-dimensional table, with rows corresponding to subjects—active entities such as users or processes—and columns corresponding to objects—passive entities such as files or resources. Each cell at the intersection of a row and column specifies the set of access rights granted to that subject over that object, where rights are typically primitive operations like read (r) or write (w).[13] This tabular layout provides a global view of the protection state in a system, capturing all subject-object interactions in a single abstract structure. For instance, the following simplified matrix illustrates the structure, where empty cells denote no rights:| Subjects \ Objects | File A | File B |
|---|---|---|
| User1 | {r, w} | {r} |
| User2 | ∅ | {w} |
Alternative Forms
Access control lists (ACLs) offer a column-wise representation of the access control matrix, in which each object is associated with a list enumerating the subjects authorized to access it and the specific rights granted to each such subject.[15] This structure groups permissions by object, allowing for straightforward verification of access requests directed at a particular resource by scanning the relevant list.[16] ACLs emerged as a practical mechanism in early systems like Multics, where they were implemented to manage protections for shared resources efficiently. In contrast, capability lists provide a row-wise view of the matrix, assigning to each subject a list of capabilities—protected tokens that pair an object identifier with the set of rights the subject possesses over that object.[17] Capabilities enable subjects to demonstrate authorization without needing to consult a central authority for each access, and they support delegation by allowing transfer of capabilities to other subjects, subject to system policies.[15] This approach was formalized in early multiprogramming semantics to facilitate secure resource sharing in computational environments.[17] The choice between these forms involves trade-offs in storage efficiency and operational performance relative to the full matrix representation. The matrix itself can be space-intensive for sparse configurations, where most entries lack permissions, but ACLs mitigate this by storing only non-empty columns, proving advantageous when objects have limited authorized subjects, though they may incur overhead in searching lists during subject-specific queries.[15] Capability lists, by focusing on non-empty rows, conserve space in domains where subjects interact with numerous objects, offering fast access checks via capability possession, yet they complicate revocation since distributed capabilities must be individually invalidated or expired.[16] These alternatives thus adapt the matrix's conceptual completeness to practical constraints, balancing lookup speed against administrative complexity.[15]Theoretical Aspects
Underlying Models
The access control matrix serves as the foundational structure in discretionary access control (DAC), where resource owners have the authority to assign and revoke access rights to subjects for specific objects. In this model, each entry in the matrix specifies the rights—such as read, write, or execute—that a subject holds over an object, enabling fine-grained, owner-discretionary management of permissions. This approach contrasts with mandatory access control by emphasizing user autonomy in protection decisions, allowing propagation of rights through mechanisms like access control lists or capabilities derived from the matrix.[15] The Take-Grant model, introduced by Jones and Lipton in 1975, extends the access control matrix into a graph-based representation to analyze rights propagation in protection systems.[18] In this framework, subjects and objects are modeled as nodes in a directed graph, with edges labeled by specific rights (e.g., "take" for acquiring rights from another subject, "grant" for transferring rights to another subject), effectively abstracting the matrix's rows and columns into a more analyzable structure for dynamic access scenarios. The model defines four rules—create, destroy (delete) subject/object, take, and grant—that govern state transitions, allowing efficient linear-time algorithms to determine whether a right can be acquired by a subject through propagation paths. The model is often analyzed in its monotonic form, which excludes the destroy rule. This graph-theoretic extension facilitates safety analysis by simulating how rights flow without enumerating all matrix states. The Harrison-Ruzzo-Ullman (HRU) model formalizes the access control matrix as a state machine to evaluate the safety of protection systems against unauthorized right leakage. It defines a protection state as a triple consisting of sets of subjects and objects, along with the access matrix specifying rights like enter (create/delete subjects/objects), own (full control), read/write on objects, and conditional commands for complex operations. HRU introduces generic commands for matrix manipulation, such as creating or deleting rows/columns and inserting/deleting rights, enabling the modeling of policy enforcement through state transitions. The model's undecidability result for general safety—determining if a right can leak to an unauthorized subject—highlights the computational limits of matrix-based verification, though mono-operational schemes remain decidable. This framework underpins theoretical analysis of matrix expressiveness and has influenced subsequent safety-checking techniques.[19]Formal Properties
The access control matrix (ACM) in formal models exhibits monotonicity when rights can only be added and not revoked through certain operations, ensuring that the set of rights for any subject-object pair is non-decreasing over time. In the Harrison-Ruzzo-Ullman (HRU) model, this property holds in monotonic variants where commands like "enter right" append privileges without corresponding deletion mechanisms, preventing the reduction of access rights once granted.[20] Specifically, for a matrix M where M[s, o] denotes the set of rights held by subject s over object o, executing an "enter r into M[s, o]" command results in M'[s, o] = M[s, o] \cup \{r\}, maintaining M[s, o] \subseteq M'[s, o] for all subsequent states. This non-decreasing behavior simplifies analysis in restricted systems but does not apply universally in HRU due to potential delete operations.[21] A central formal challenge in ACMs is the safety problem, which determines whether an initial configuration allows an unauthorized subject to acquire a specific right through a sequence of commands. In the general HRU model, this problem is undecidable, meaning no algorithm can always determine if a right can be illicitly acquired, as proven by reduction to the halting problem of Turing machines.[20] Formally, given an initial matrix M_0, a generic right r, and a set of commands C, the question is whether there exists a sequence leading to a state M_k where r \in M_k[s, o] for some unauthorized s and o; the undecidability arises from the expressive power of conditional commands that simulate arbitrary computation. Restricted cases, such as mono-operational HRU (with a single command type), render safety decidable but NP-complete.[21] ACMs also demonstrate closure properties under primitive operations, where the set of valid matrices remains invariant under executions of commands like create subject/object or delete right. In HRU, the create subject command adds a new row and column to M initialized with empty right sets, preserving the matrix structure while expanding the subject and object sets S and O such that S' = S \cup \{s'\} and O' = O \cup \{s'\} (subjects often double as objects). Similarly, delete right removes a specific privilege from M[s, o], yielding M'[s, o] = M[s, o] \setminus \{r\}, and the overall set of reachable configurations is closed under these transformations, ensuring that all resulting matrices adhere to the model's syntax. These properties underpin the model's ability to model dynamic protection systems without introducing invalid states.[20]Applications and Evaluation
Practical Implementations
In Unix-like operating systems, access control matrices are approximated through Access Control Lists (ACLs), which extend the traditional discretionary access control model of file permissions and user groups to provide more granular rights management. POSIX ACLs, based on the draft POSIX.1e standard (IEEE 1003.1e, draft 17), allow administrators to define permissions for individual users or groups beyond the standard owner-group-others triad, effectively simulating rows and columns of an access matrix where subjects (users or groups) are granted specific operations (read, write, execute) on objects (files or directories).[22][23] These ACLs are implemented in file systems like ext4 on Linux, UFS on FreeBSD, and ZFS on various Unix variants, using commands such assetfacl and getfacl to manipulate entries, which include access ACLs for direct permissions and default ACLs for inheritance on new objects.[24] For example, an ACL entry might grant read access to a specific user on a directory while denying it to others, reducing the sparsity of a full matrix by storing only non-empty entries.[25]
Capability lists, representing the rows of the access control matrix, are implemented in various operating systems and kernels to provide subjects with unforgeable tokens bundling object references and rights. For example, the seL4 microkernel, a formally verified system, uses capabilities to enforce mandatory access control and mediate all inter-process communication and resource access, ensuring strong isolation in embedded and high-assurance environments.[26] Historical examples include the Cambridge CAP computer, which provided hardware support for capabilities, and systems like KeyKOS and EROS, which employed capabilities for persistent, secure object management.[27][28] These implementations facilitate decentralized access control but require mechanisms to prevent capability leakage and revocation.
In the Windows NT family of operating systems, access control is implemented using a token-based model for subjects and security descriptors for objects, which collectively enforce matrix-like logic without maintaining a global matrix due to scalability concerns. Each process or thread holds an access token containing the user's Security Identifiers (SIDs) and group memberships as subjects, while securable objects like files, registry keys, or processes have security descriptors that include a Discretionary Access Control List (DACL) specifying allowed accesses for SIDs.[29] The system checks access by comparing the token's SIDs against the object's DACL entries, granting rights such as read, write, or delete if a matching allow entry exists and no deny entry overrides it, thus realizing the intersection of subjects and objects in the abstract matrix model.[30] This approach, introduced in Windows NT 3.1 and refined in subsequent versions, supports auditing via System Access Control Lists (SACLs) and is managed through APIs like SetNamedSecurityInfo or tools like icacls.[31]
Database management systems implement access control matrix principles through role-based mechanisms standardized in SQL, where privileges are granted or revoked to users or roles on database objects, approximating the matrix by associating subjects (roles or users) with operations (select, insert, update, delete) on objects (tables, views, schemas). The ANSI/ISO SQL standard (ISO/IEC 9075) defines the GRANT statement to assign privileges explicitly, optionally with the WITH GRANT OPTION to propagate rights, and the REVOKE statement to withdraw them, including CASCADE or RESTRICT options to handle dependencies.[32][33] In systems like SQL Server, PostgreSQL, and Oracle, roles act as intermediaries to group privileges, enabling efficient management of matrix entries; for instance, a DBA role might grant SELECT on multiple tables to an analyst role, which is then assigned to users, avoiding per-user granularity for large-scale deployments.[34] This SQL-based approach integrates with underlying ACL or capability lists for file-level security on database files but focuses on logical access within the DBMS.[35]