The Formulary Model for Access Control and Privacy in Computer Systems

This thesis presents a model for engineering the user interface for large data base systems in order to maintain flexible access controls over sensitive data. The model is independent of both machine and data base structure, and is sufficiently modular to allow cost-effectiveness studies on access mechanisms. Access control is based on sets of procedures called formularies. The decision on whether a user can read, write, update, etc., data is controlled by programs (not merely bits or tables of data) which can be completely independent of the contents or location of raw data in the data base. The decision to grant or deny access can be made in real time at data access time, not only at file creation time as has usually been the case in the past. Indeed the model presented does not make use of the concept of “files, It though a specific interpretation of the model may do so. Access control is not restricted to the file level or the record level, although the model permits either of these. If desired, however, access can be controlled at arbitrarily lower levels, even at the bit level. The function of data addressing is separated from the function of access control in the model. Moreover, each element of raw data need appear only once, thus allowing considerable savings in memory and in maintenance effort over previous file-oriented systems. Examples of the use of formularies in a system currently running on the IBM 360/67 are given. One recent cost study using the model is also described.