Relational access control with bivalent permissions in a social Web/collaboration architecture

We describe an access control model that has been implemented in the web content management framework “Deme” (which rhymes with “team”). Access control in Deme is an example of what we call “bivalent relation object access control” (BROAC). This model builds on recent work by Giunchiglia et al. on relation-based access control (RelBAC), as well as other work on relational, flexible, fine-grained, and XML access control models. We describe Deme's architecture and review access control models, motivating our approach. BROAC allows for both positive and negative permissions, which may conflict with each other. We argue for the usefulness of defining access control rules as objects in the target database, and for the necessity of resolving permission conflicts in a social Web/collaboration architecture. After describing how Deme access control works, including the precedence relations between different permission types in Deme, we provide several examples of realistic scenarios in which permission conflicts arise, and show how Deme resolves them. Initial performance tests indicate that permission checking scales linearly in time on a practical Deme website.