Bridging the Gap between User Attributes and Service Policies with Attribute Mapping

People, companies, and public authorities can now have a strong on-line presence and a huge amount of interactions on the Internet, made possible by the impressive growth of the World Wide Web and of Web technologies. Many independent parties provide services and exchange information in a plural, dynamic, and open environment. This scenario, where interacting parties are often strangers, naturally brings to attribute-based access control solutions, as traditional identity-based systems are usually inadequate to large open environments. User attributes certified by external authorities, however, tend to be rather general-purpose and to reflect a user point of view, thus they often do not coincide with the concepts that are relevant for the service. In this paper we propose a framework to decouple the user point of view and the service point of view on user attributes: following our model, the service access control policy can focus on the concepts that are relevant for the service logic, whereas a separate attribute mapping policy establishes the bridge between the two domains.

[1]  Pierangela Samarati,et al.  Regulating service access and information release on the Web , 2000, CCS.

[2]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[3]  James A. Hendler,et al.  DAML+OIL: An Ontology Language for the Semantic Web , 2002, IEEE Intell. Syst..

[4]  Michael Kifer,et al.  Rule Interchange on the Web , 2007, Reasoning Web.

[5]  Christian Schläger,et al.  Supporting Attribute-based Access Control in Authorization and Authentication Infrastructures with Ontologies , 2007, J. Softw..

[6]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[7]  Sean Bechhofer,et al.  SKOS Simple Knowledge Organization System Reference , 2009 .

[8]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Wendy Hall,et al.  The Semantic Web Revisited , 2006, IEEE Intelligent Systems.

[10]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[11]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[12]  Dan Brickley,et al.  Rdf vocabulary description language 1.0 : Rdf schema , 2004 .

[13]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[14]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[15]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[16]  Charles L. Forgy,et al.  Rete: a fast algorithm for the many pattern/many object pattern match problem , 1991 .