Some multi-user networked applications have complex access control policies. A rich model called ‘Attribute Based Access Control’ is general enough to express any access control policy, because it simply proposes that access control should be based on ‘attributes’ of the user, the resource and also on time. This has the potential to capture all policies, as long as the attributes can be captured in the application data. While ABAC is a relatively straightforward idea, its implementation can be non-trivial. While implementing access control in a program, properties such as self-documenting code, ease of maintenance and separation of business logic and access control are desirable. Similarly, the code should easily support updates to the access control policy. Ideally one would want a general framework such that access control policy can be updated with no changes to the application source code. We propose to study and improve the state of the art in access control by proposing a software design which achieves the following goals:
1.Defines an elegant code implementation practice that self-documents the access control policy.
2.Separates the role of a developer who is implementing the business logic, or the functionality and only needs to perform the query for getting the required access to a resource, from the developer who implements the access control policy and writes the code that grants orrejects the requested access based on such a policy.
3.Disallows direct uncontrolled access to resources. This will require development of a middleware layer on which the application code is developed.
4. Allows user-configurable access control policy updates that require no code changes
