Policies and models of thematic access differentiation
The policy of thematic access differentiation is close to the policy of mandatory access.
The general basis is the introduction of a special procedure for classifying the entities of the system (subjects and access objects) according to some criterion. Previously, it was considered that the basis for the classification of AC entities in mandatory access models is a linear lattice on an ordered set of security levels. At the same time, the use of the lattice apparatus is fundamental, since through the mechanisms of the smallest upper and largest lower boundaries, it is possible to analyze the danger/non-danger of flows between any pair of entities of the system.
In some cases, the basis for classifying information and subjects of access to it is not data confidentiality and trust in subjects of access, as in mandatory models, but the thematic structure of the subject area of the information system. The desire to expand the mandate model to reflect the thematic principle of access differentiation applied in government organizations in many countries has led to the use of more complex structures than a linear grid of security levels, called MLS grids. The MLS grid is the product of a linear grid of security levels and a grid of subsets of a set of categories (topics).
Another factor necessitating the construction of special models of thematic access differentiation is that in most cases, a non-linear order is established on the classification set in documentary information systems (as on the set of security levels in mandatory models), a partial order set by a certain type of root trees (hierarchical and faceted rubricators).
An important aspect present in the practice of delimiting access to "paper" resources is the thematic "coloring" of information resources of enterprises, institutions on organizational and technological processes and activity profiles. The organization of employees' access to information resources (in libraries, archives, documentary repositories) is carried out on the basis of thematic classifiers. All documents of the information repository are thematically indexed, i.e. they correspond to certain thematic headings of the classifier. Employees of the enterprise, according to their functional duties or for other reasons, receive the right to work with documents of a certain subject. This approach, combined with discretionary and mandatory access, provides a more adequate and flexible configuration of the access control system for specific functional and technological processes, provides additional means of access control and management.
