Combining Mandatory and Attribute-based Access Control

Attribute based access control (ABAC) offers a great deal of flexibility over more traditional forms of access control in that it relies less on user identity or role but on various attributes of a subject or object. In many instances where a traditional access control approach is taken, such as mandatory access control (MAC) environments, more information beyond a classification is desirable to make a more flexible access control determination. We propose an ABAC model that retains the nature of a strictly MAC approach, while enriching access control decisions with a number of other security attributes by leveraging the concept that classification, clearance, or any other security property of a subject or object is simply an attribute. The model description is followed by an example instance based on current DoD guidelines.