Graham–Denning model

From HandWiki
Short description: Computer security model

The Graham–Denning model is a computer security model that shows how subjects and objects should be securely created and deleted. It also addresses how to assign specific access rights. It is mainly used in access control mechanisms for distributed systems. There are three main parts to the model: A set of subjects, a set of objects, and a set of eight rules. A subject may be a process or a user that makes a request to access a resource. An object is the resource that a user or process wants to access.


This model addresses the security issues associated with how to define a set of basic rights on how specific subjects can execute security functions on an object. The model has eight basic protection rules (actions) that outline:

  • How to securely create an object.
  • How to securely create a subject.
  • How to securely delete an object.
  • How to securely delete a subject.
  • How to securely provide the read access right.
  • How to securely provide the grant access right.
  • How to securely provide the delete access right.
  • How to securely provide the transfer access right.

Moreover, each object has an owner that has special rights on it, and each subject has another subject (controller) that has special rights on it.

The model is based on the Access Control Matrix model where rows correspond to subjects and columns correspond to objects and subjects, each element contains a set of rights between subject i and object j or between subject i and subject k.

For example an action A[s,o] contains the rights that subject s has on object o (example: {own, execute}).

When executing one of the 8 rules, for example creating an object, the matrix is changed: a new column is added for that object, and the subject that created it becomes its owner.

Each rule is associated with a precondition, for example if subject x wants to delete object o, it must be its owner (A[x,o] contains the 'owner' right).


Harrison-Ruzzo-Ullman extended this model by defining a system of protection based on commands made of primitive operations and conditions.

See also