Automated xacml policy reconfiguration for evaluation optimisation

Miseldine, Philip

doi:10.1145/1370905.1370906

Cited by 22 publications

(18 citation statements)

References 11 publications

(7 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If any of these structural elements is not satisfied, it prevents the evaluation of elements that are further down in the hierarchy. A description of this process and its resulting savings in terms of computation costs is provided in [7].…”

Section: B the Benefits Of Structuringmentioning

confidence: 99%

“…As has already been mentioned in [7], there are cases where the principle of hierarchical structures of decision trees does not avoid searching all the rules of a policy or at least some of its subtrees. Effectively, the efficiency of this process can depend on the distribution of logic expressed as match expressions on attributes among these structural elements.…”

Section: B the Benefits Of Structuringmentioning

confidence: 99%

“…• Vertical re-ordering, consisting of redistributing logic among hierarchical partitioning blocks including changing the configuration of these blocks entirely [7] [9]. For example interchanging the logic contained in a rule target with one of its parent policies, or even further upstream targets of policy set parents.…”

Section: A a Review Of Existing Restructuring Algorithms Andmentioning

confidence: 99%

“…A manual optimization could be complex. An illustration of these challenges can be derived from [7]. Effectively they propose an algorithm for computing performance of various randomly or manually restructured policy sets.…”

Section: Figure 8: Xacml Decision Subtree For Effect Permitmentioning

confidence: 99%

“…• Step 6: compute the total cost of request processing of the compressed policies using the algorithm proposed in [7]. • Step 7: repeat step 2 to 5 using a different order in the sequence of attribute conditions of traces as a best-first search heuristic.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Challenges of Composing XACML Policies

Stepien

Felty

Matwin

2014

2014 Ninth International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Abstract-XACML (eXtensible Access Control MarkupLanguage) is a declarative access control policy language that has unique language constructs for factoring out access control logic. These constructs make the specification of access control requirements more compact than decision trees, which can be considered the most natural way to specify access control logic. However, many publications report that performance of XACML policy decision point (PDP) engines is greatly affected by the structure of policy sets. In this paper we first explore the causes of potential inefficiencies of XACML policies, and then propose a procedure to re-structure policy sets vertically by modifying the distribution of access control logic among different configurations of structural elements, in order to remove much of this inefficiency. This is in contrast to horizontal re-ordering of constant structural elements. Our procedure can be applied regardless of the complexity and structure of the original policy set. We also compare the performance of policy sets that take advantage of the expressive power of XACML targets to decision trees.

show abstract

Section: B the Benefits Of Structuringmentioning

confidence: 99%

Section: B the Benefits Of Structuringmentioning

confidence: 99%

Section: A a Review Of Existing Restructuring Algorithms Andmentioning

confidence: 99%

Section: Figure 8: Xacml Decision Subtree For Effect Permitmentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

Challenges of Composing XACML Policies

Stepien

Felty

Matwin

2014

2014 Ninth International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

Designing Efficient XACML Policies for RESTful Services

Hüffmeyer

Schreier

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Idea: Efficient Evaluation of Access Control Constraints

Brucker¹,

Petritsch²

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i. e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e. g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.In distributed systems, e. g., based on the service-oriented architecture (SOA), the time for evaluating access control constraints depends significantly on the protocol between the central Policy Decision Point (PDP) and the distributed Policy Enforcement Points (PEPs).In this paper, we present a policy-driven approach for generating customized protocol for the communication between the PDP and the PEPs. We provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.

show abstract

Automated xacml policy reconfiguration for evaluation optimisation

Cited by 22 publications

References 11 publications

Challenges of Composing XACML Policies

Challenges of Composing XACML Policies

Designing Efficient XACML Policies for RESTful Services

Idea: Efficient Evaluation of Access Control Constraints

Contact Info

Product

Resources

About