The title of this paper indicates that it is about an access control model geared toward cloud computing. However, it is not indicated what resources of the cloud are being controlled. The resources at the infrastructure as a service (IaaS) level cannot be controlled by the users of the cloud, who control only what they put onto their virtual machines. The owner of an application at the software as a service (SaaS) level could use his model to control access to the resources of the application, but this is not stated explicitly. The authors also indicate that the model is intended to control internal users of the cloud, but it is not clear what they mean by “internal” users; there are several types of users in a cloud system.

This lack of precision and the lack of a formal model make this work of very dubious value. The model has not been implemented; an actual implementation could have answered questions about the model’s performance overhead. An abstract model is never shown. A later section shows some details of expressing policies using an ontological language, but does not discuss the logic of the policies, which should come from the access model. In some parts of the paper, it is not clear what the authors are trying to express. I am surprised that this paper got through the referees.