A systematic literature review for authorization and access control: definitions, strategies and models

• DOI: https://doi.org/10.1108/IJWIS-04-2022-0077
• Published date: 15 August 2022
• Date: 15 August 2022
• Pages: 156-180
• Subject Matter: Information & knowledge management,Information & communications technology,Information systems,Library & information science,Information behaviour & retrieval,Metadata,Internet
• Author: Aya Khaled Youssef Sayed Mohamed,Dagmar Auer,Daniel Hofer,Josef Küng

A systematic literature review for

authorization and access control:

definitions, strategies and models

Aya Khaled Youssef Sayed Mohamed,Dagmar Auer,Daniel Hofer

and Josef Küng

Institute for Application-oriented Knowledge Processing, Johannes Kepler

University Linz, Linz, Austria and LIT Secure and Correct Systems Lab,

Johannes Kepler University Linz, Linz, Austria

Abstract

Purpose –Authorization and access control have been a topic of research for several decades.However,

existing definitions are inconsistent and even contradicting each other. Furthermore, there are numerous

access control modelsand even more have recently evolved to conform with thechallenging requirements of

resource protection. That makesit hard to classify the models and decide for an appropriate one satisfying

security needs.Therefore, this study aims to guide through the plentyof access control models in the current

state of the art besides thisopaque accumulation of terms meaning and how they are related.

Design/methodology/approach –This study follows the systematic literature review approach to

investigate current research regarding access control models and illustrate the findings of the conducted

review. To providea detailed understanding of the topic, this studyidentified the need for an additional study

on the terms relatedto the domain of authorizationand access control.

Findings –The authors’researchresults in this paper are the distinction between authorizationand access

control with respect to definition,strategies, and models in addition to the classification schema. This study

provides a comprehensiveoverview of existing models andan analysis according to the proposed five classes

of access controlmodels.

Originality/value –Based on the authors’definitions of authorizationand access control along with their

relatedterms, i.e. authorization strategy,model and policy as well as accesscontrol model and mechanism,this

study gives an overview of authorization strategies and propose a classification of access control models

providing examples for each category. In contrast to other comparative studies, this study discusses more

access control models, including the conventional state-of-the-art models and novel ones. This study also

summarizes each of the literature works after selecting the relevant ones focusing on the database system

domain or providinga survey, a classificationor evaluation criteria of accesscontrol models. Additionally,the

introduced categories of models are analyzedwith respect to various criteriathat are partly selected from the

standardaccess control systemevaluation metrics by theNational Institute of Standardsand Technology.

Keywords Authorization, Access control, Authorization strategy, Access control model,

Classification, Criteria

Paper type Literature review

© Aya Khaled Youssef Sayed Mohamed, Dagmar Auer, Daniel Hofer and Josef Küng. Published by

Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC

BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this

article (for both commercial and non-commercial purposes), subject to full attribution to the original

publication and authors. The full terms of this licence may be seen at http://creativecommons.org/

licences/by/4.0/legalcode

The research reported in this paper has been partly supported by the LIT Secure and Correct

Systems Lab funded by the State of Upper Austria. The work was also funded within the FFG

BRIDGE project KnoP-2D (grant no. 871299).

IJWIS

18,2/3

156

Received14 April 2022

Revised1 June 2022

Accepted6 July 2022

InternationalJournal of Web

InformationSystems

Vol.18 No. 2/3, 2022

pp. 156-180

EmeraldPublishing Limited

1744-0084

DOI 10.1108/IJWIS-04-2022-0077

The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/1744-0084.htm

1. Introduction

Access control ensures data security by protecting assets and private information against

unauthorized access by defined subjects. It helps to avoid information leaks or improper

modification by potentially malicious parties. Besides traditional well-knownaccess control

models, there are many others that recently evolved to match advanced security

requirements. Because of the increase of access control models, it seems promising to

classify the models to enhance the selection of an appropriate model to fulfill the

requirements of the overall system. Thus, it is necessary to clarify the core concepts of

authorization and access control (e.g. definitions, strategies and models) along with the

commonly used, partlyambiguous, synonyms.

In this paper, we overcome this opaque accumulation of terms and their meaning by

guiding researchers and practitioners through the vast amount of available access control

models. We further provide support in selecting an appropriate access control model with

respect to security requirements.The contributions of our work are the following:

definition of authorization and access control along with their related terms;

distinction between authorization strategies and access control models;

rough classification schema for access control models;

illustration of classification schema by providing state of the art as well as not

commonly discussed models for each class of access control models;

review of a selected list of comparative studies on access control that are in the

context of databases, include a survey of models, provide evaluation criteria and/or

introduce a taxonomy of models; and

analysis of the classification schema based on selected criteria of access control

models.

Concerning the methodology, we conduct a systematic literature review (SLR) which is a

formal repeatable methodto identify, analyze and interpret the existing research related to a

particular topic of interest. According to the SLR definition in Kuhrmann et al. (2017),we

started our researchwith an extensive literature study on access controlmodels. We selected

a specific range of publications according to our filter criteria and studied them in detail.

Because of the differences in the definition of authorization and access control along with

their related terms, we discuss the various views for each concept and state which of them

we follow. Then, we identifiedauthorization strategies and derived categories for classifying

all these models. Finally, we analyzed the resulting selections in addition to the main

features of each category.

The remainder of this paper is organized as follows. Section 2 defines the related terms

we use throughout this work. Section 3 explains authorization strategy and illustrates

existing discretionary, mandatory and hybrid strategies. We introduce a classification of

access control models along with examples in Section 4. We provide a summary of survey

works comparing the included access control models in Section 5. In Section 6, we analyze

the proposed categories with respect to selected criteria before concluding our paper in

Section 7.

2. Related terms

Although authorization and access control have already been important in theory and

practice for several decades,there are still differences concerning the understanding of basic

terms in this domain. Therefore,we discuss the most important ones for our research.

Systematic

literature

review

157