Attribute-Based Access Control (ABAC) systems are using machinereadable rules for making access control decisions. Rules are collected in documents, the named policies, or policy sets. These are expressed in a specific policy language, such as XACML, ALFA, or SAPL. Within systems implementing the ABAC reference architecture, policy documents are persisted in a Policy Retrieval Point (PRP). This paper addresses the problem of efficiently retrieving policy documents applicable to a given authorization request (or subscription) from the PRP. Applicability is determined by a specific section of the document, commonly named target expression. The target expression consists of matching conditions, more precisely Boolean expressions based on request (or subscription) data. This paper presents a novel in-memory data structure that is used to index policy documents. The index allows retrieving documents matching a given authorization request more efficiently from a large set of policies. The empirical evaluation demonstrates, that the proposed algorithm can reduce policy retrieval time in PRPs by up to 98%, depending on the structure of the policies. CCS CONCEPTS• Security and privacy → Access control; Authorization; • Theory of computation → Sorting and searching.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.