Access control policy combining
- 3 June 2009
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
- p. 135-144
- https://doi.org/10.1145/1542207.1542229
Abstract
Many access control policy languages, e.g., XACML, allow a policy to contain multiple sub-policies, and the result of the policy on a request is determined by combining the results of the sub-policies according to some policy combining algorithms (PCAs). Existing access control policy languages, however, do not provide a formal language for specifying PCAs. As a result, it is difficult to extend them with new PCAs. While several formal policy combining algebras have been proposed, they did not address important practical issues such as policy evaluation errors and obligations; furthermore, they cannot express PCAs that consider all sub-policies as a whole (e.g., weak majority or strong majority). We propose a policy combining language PCL, which can succinctly and precisely express a variety of PCAs. PCL represents an advancement both in terms of theory and practice. It is based on automata theory and linear constraints, and is more expressive than existing approaches. We have implemented PCL and integrated it with SUN's XACML implementation. With PCL, a policy evaluation engine only needs to understand PCL to evaluate any PCA specified in it.Keywords
This publication has 15 references indexed in Scilit:
- A simple and expressive semantic framework for policy composition in access controlPublished by Association for Computing Machinery (ACM) ,2007
- A fault model and mutation testing of access control policiesPublished by Association for Computing Machinery (ACM) ,2007
- XACML policy integration algorithmsPublished by Association for Computing Machinery (ACM) ,2006
- Verification and change-impact analysis of access-control policiesPublished by Association for Computing Machinery (ACM) ,2005
- An Incremental and Layered Procedure for the Satisfiability of Linear Arithmetic LogicLecture Notes in Computer Science, 2005
- An Algebra for Composing Enterprise Privacy PoliciesLecture Notes in Computer Science, 2004
- A propositional policy algebra for access controlACM Transactions on Information and System Security, 2003
- An algebra for composing access control policiesACM Transactions on Information and System Security, 2002
- Enforceable security policiesACM Transactions on Information and System Security, 2000
- A Useful Four-Valued LogicPublished by Springer Science and Business Media LLC ,1977