It is an extension of the Graham-Denning model, based around the idea of a finite set of procedures being available to edit the access rights of a subject
It is named after its three authors, Michael A. Harrison, Walter L. Ruzzo and Jeffrey D.
[1] Along with presenting the model, Harrison, Ruzzo and Ullman also discussed the possibilities and limitations of proving the safety of systems using an algorithm.
[1] The HRU model defines a protection system consisting of a set of generic rights R and a set of commands C. An instantaneous description of the system is called a configuration and is defined as a tuple
The commands are composed of primitive operations and can additionally have a list of pre-conditions that require certain rights to be present for a pair
The primitive requests can modify the access matrix by adding or removing access rights for a pair of subjects and objects and by adding or removing subjects or objects.
Harrison, Ruzzo and Ullman[1] discussed whether there is an algorithm that takes an arbitrary initial configuration and answers the following question: is there an arbitrary sequence of commands that adds a generic right into a cell of the access matrix where it has not been in the initial configuration?
They showed that there is no such algorithm, thus the problem is undecidable in the general case.
They also showed a limitation of the model to commands with only one primitive operation to render the problem decidable.