A key function in any information security infrastructure is represented by access control which concerns the ways according to which users can access resources in a computer systems. Access control is one of the most pervasive security mechanisms in use today and is present in almost all systems, from operating systems to database management systems. Access control is usually based on access permits, also called authorizations, specifying which subjects can access which objects for performing which actions. Access control, however, imposes great administrative and architectural challenges and also requires careful design. In particular, a relevant problem, especially when dealing with large systems, is represented by the complexity of access control administration. Access control administration deals with assigning and revoking authorizations.
Whenever the number of subjects and objects is high, the number of such authorizations can become huge. If, moreover, the subject population is highly dynamic, the number of authorization grant and revoke operations to be performed can become very difficult to manage. Another important consideration to make is that in many organizations end-users often do not own the information to which they are allowed access. Rather, it is usually the corporation or agency that is the actual "owner" of the data and the control on the data is often based on the user function within the organization.