Access control policy combining

Li, Ninghui; Wang, Qihua; Qardaji, Wahbeh; Bertino, Elisa; Rao, P. Venkateswara; Lobo, Jorge; Lin, Dan

doi:10.1145/1542207.1542229

Cited by 69 publications

(64 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As such, ABAC supports rules such as identity-based permissions, roles, ownership, time, location, consent and breaking-the-glass procedures. Secondly, the most widely-used language for attribute-based policies XACML [1] additionally allows to combine multiple attribute-based rules in a single policy as a tree, a concept also present in the literature (e.g., [4,12]). As illustrated in Figure 1, each element in such a policy tree defines to which requests it applies and how the results of its children should be combined, e.g., a permit overrides a deny.…”

Section: Context and Problem Illustrationmentioning

confidence: 99%

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Decat

Moeys

Lagaisse

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Access control is key to limiting the actions of users in an application and attribute-based policy languages such as XACML allow to express a wide range of access rules. As these policy languages become more widely used, policies grow both in size and complexity. Modularity and reuse are key to specifying and managing such policies effectively. Ideally, complex or domain-specific policy patterns are defined once and afterwards instantiated by security experts in their application-specific policies. However, current policy languages such as XACML provide only limited features for modularity and reuse. To address this issue, we introduce policy templates as part of a novel attribute-based policy language called STAPL. Policy templates are policies containing unbound variables that can be specified when instantiating the template in another policy later on. STAPL supports four types of policy templates with increasing complexity and expressiveness. This paper illustrates how these policy templates can be used to define reusable policy patterns and validates that policy templates are an effective means to simplify the specification of large and complex attribute-based policies.

show abstract

Section: Context and Problem Illustrationmentioning

confidence: 99%

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Decat

Moeys

Lagaisse

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Moreover, in the same style, the combination algorithms of XACML policy 15 language [55,51], such as Permit-overrides, Deny-overrides, First-applicable, Only-oneapplicable can be specified in our framework using recursive rules (for a complete specification see [16]). One can note that in the setting of a three-valued policy (as we consider here) the XACML Undeterminate and NotApplicable results are treated in an equivalent way.…”

Section: Integrating Combination Operators In the Distributed Metamodelmentioning

confidence: 99%

A metamodel of access control for distributed environments: Applications and properties

Bertolissi

Fernández

2014

Information and Computation

View full text Add to dashboard Cite

We describe a metamodel for access control, designed to take into account the specific requirements of distributed environments. We see a distributed system consisting of several sites, each with its own resources to protect, as a federation, and propose a framework for the specification (and enforcement) of global access control policies that take into account the local policies specified by each member of the federation. The framework provides mechanisms to specify heterogeneous local access control policies, to define policy composition operators, and to use them to define conflict-free access authorisation decisions. We use a declarative formalism in order to give an operational semantics to the distributed metamodel. We then show how properties of policies can be directly obtained from standard results for the operational semantics of access request evaluation.

show abstract

“…6 for request q under assumption that we cannot retrieve policy p 9 . Then we construct the (partial) evaluation tree shown in Fig.…”

Section: Form (· · · ⊕ ·) Is a ∪-Policymentioning

confidence: 99%

“…However, it is generally acknowledged that XACML suffers from having poorly defined and counterintuitive semantics, see e.g. [9,10]. More formal approaches have provided well-defined semantics and typically use "policy operators" to construct complex policies from simpler sub-policies [3,5,13].…”

Section: Introductionmentioning

confidence: 99%

An Authorization Framework Resilient to Policy Evaluation Failures

Crampton

Huth

2010

Computer Security – ESORICS 2010

View full text Add to dashboard Cite

Abstract. In distributed computer systems, it is possible that the evaluation of an authorization policy may suffer unexpected failures, perhaps because a sub-policy cannot be evaluated or a sub-policy cannot be retrieved from some remote repository. Ideally, policy evaluation should be resilient to such failures and, at the very least, fail "gracefully" if no decision can be computed. We define syntax and semantics for an XACML-like policy language. The semantics are incremental and reflect different assumptions about the manner in which failures can occur. Unlike XACML, our language uses simple binary operators to combine sub-policy decisions. This enables us to characterize those few binary operators likely to be used in practice, and hence to identify a number of strategies for optimizing policy evaluation and policy representation.

show abstract

Access control policy combining

Cited by 69 publications

References 16 publications

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

A metamodel of access control for distributed environments: Applications and properties

An Authorization Framework Resilient to Policy Evaluation Failures

Contact Info

Product

Resources

About