Access Control Systems: Foundations and Practice



An information security model defines access rights that express for a given system which subjects are allowed to perform which actions on which objects. A system is said to be secure with respect to a given information security model, if it enforces the corresponding access rights. Thus, access control modeling and access control systems represent the fundamental building blocks of secure services, be it on the Web or in the Internet of Everything.
In this master-level course, we thoroughly investigate the evolution of access control models (access control matrix, role-based access control, attribute access control) and describe usage control models as a unified framework for both access control and digital rights management. We analyze current access control systems and APIs from both, the developers and the end users perspective, including Identity-as-a-Serivce. We look at current research aspects of secure data outsourcing and sharing, blockchains, and vehicular systems. Finally, we also discuss the ethical dimension of access management. Students prepare for each session by studying previously announced literature that is then jointly discussed in the lecture.

Work Load

Lecture (2 SWS): 2,0h x 15 = 30h
Exercise (1 SWS): 1,0h x 15 = 15h
Weekly lecture preparation and follow-up: 15 x 1,5h x 2 = 45h
Weekly exercise preparation and follow-up: 15 x 2h = 30h
Exam preparation: 30h

150h = 5 ECTS


Summary: the student is able to derive suitable access control models from scenario requirements and is able to specify concrete access control systems. The student is aware of the limits of access control models and systems with respect to their analyzability and performance and security characteristics. The student is able to identify the resulting tradeoffs. The student knows the state of the art with respect to current research endeavors in the field of access control.

The specific competences are as follows. The student...

... is able to analyze a specific instance of an access control system and identify roles that enable a role-based access control realization.

... is able to decide which concrete architectures and protocols are technically suited for realizing a given access control model.
... is able to design an access control system architecture adhering to the requirements of a concrete scenario.
... knows access control models derived from social graphs and is able to analyze the opportunities for deanonymization of persons through metrics from the literature.

... knows specific access control protocols employed by providers of modern cloud-based services.

... knows the challenges of access control in inter and intra-vehicle communication and is able to identify the fundamental access control problems in the domain.
... knows access control mechanisms for secure data outsourcing and is able to analyze and compare the performance and security garantees of the different approaches.

... knows access control protocols to enable decentralized data sharing through cryptographic methods and is able to compare protocol realizations based on different cryptographic building blocks with respect to their performance.

... knows blockchain-based approaches to ensure the consistency in decentralized systems and is able to identify tradeoffs between consistency and anonymity.