Formalisation and Implementation of the XACML Access Control Mechanism

Abstract: Abstract. We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility … Show more

“…The Formal Access Control Policy Language (FACPL) [12], which we describe in this section, provides a manageable alternative syntax to XACML through a BNF-like grammar. FACPL syntax is reported in Table 1.…”

“…A disciplined use of structured names and the three logical operators permits properly expressing XACML targets. For further details on this topic, the reader is referred to our previous work [12].…”

“…it is defined by a function [[·]]R that, given a policy/policySet and a set R of access requests, returns a decision tuple of the form where R is partitioned into Rm, Rn and Ri according to the results of the target evaluation. We refer the interested reader to [12] for a full account of the FACPL semantics.…”

“…This tool "compiles" a policy written in the syntax presented in Sec. 3.3 into a Java class following the semantics rules defined in [12]. Thus, a repository storing some policies, and the related PDP, consists of a Java archive containing all the Java classes generated from the policies.…”

“…UWE is already equipped with tools for policy editing. We then automate the policy development process towards a formally founded language (called FACPL [12]) by means of a suitable software toolchain, comprising the transformations UWE2XACML and XACML2FACPL. The former transformation enables the possibility of integrating into the toolchain other software tools, e.g.…”

Towards model-driven development of access control policies for web applications

“…The Formal Access Control Policy Language (FACPL) [12], which we describe in this section, provides a manageable alternative syntax to XACML through a BNF-like grammar. FACPL syntax is reported in Table 1.…”

“…A disciplined use of structured names and the three logical operators permits properly expressing XACML targets. For further details on this topic, the reader is referred to our previous work [12].…”

“…it is defined by a function [[·]]R that, given a policy/policySet and a set R of access requests, returns a decision tuple of the form where R is partitioned into Rm, Rn and Ri according to the results of the target evaluation. We refer the interested reader to [12] for a full account of the FACPL semantics.…”

“…This tool "compiles" a policy written in the syntax presented in Sec. 3.3 into a Java class following the semantics rules defined in [12]. Thus, a repository storing some policies, and the related PDP, consists of a Java archive containing all the Java classes generated from the policies.…”

“…UWE is already equipped with tools for policy editing. We then automate the policy development process towards a formally founded language (called FACPL [12]) by means of a suitable software toolchain, comprising the transformations UWE2XACML and XACML2FACPL. The former transformation enables the possibility of integrating into the toolchain other software tools, e.g.…”

Towards model-driven development of access control policies for web applications

Modeling Security Features of Web Applications

Developing and Enforcing Policies for Access Control, Resource Usage, and Adaptation