Challenges of Composing XACML Policies

XACML (extensible Access Control Mark-up Language) is a declarative access control policy language that has unique language constructs for factoring out access control logic. These constructs make the specification of access control requirements more compact than decision trees, which can be considered the most natural way to specify access control logic. However, many publications report that performance of XACML policy decision point (PDP) engines is greatly affected by the structure of policy sets. In this paper we first explore the causes of potential inefficiencies of XACML policies, and then propose a procedure to re-structure policy sets vertically by modifying the distribution of access control logic among different configurations of structural elements, in order to remove much of this inefficiency. This is in contrast to horizontal re-ordering of constant structural elements. Our procedure can be applied regardless of the complexity and structure of the original policy set. We also compare the performance of policy sets that take advantage of the expressive power of XACML targets to decision trees.

[1]  Anna Cinzia Squicciarini,et al.  Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation , 2011, IEEE Transactions on Services Computing.

[2]  Philip Miseldine,et al.  Automated xacml policy reconfiguration for evaluation optimisation , 2008, SESS '08.

[3]  Bijan Parsia,et al.  Formalizing XACML Using Defeasible Description Logics , 2007 .

[4]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[5]  Suresh Kumar,et al.  Comparative analysis of Role Base and Attribute Base Access Control Model in Semantic Web , 2012 .

[6]  K. Ming Leung Decision Trees and Decision Rules , 2007 .

[7]  Fabio Martinelli,et al.  Towards Policy Engineering for Attribute-Based Access Control , 2013, INTRUST.

[8]  Kamel Adi,et al.  Inconsistency detection method for access control policies , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[9]  Stan Matwin,et al.  An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[10]  Stan Matwin,et al.  Strategies for Reducing Risks of Inconsistencies in Access Control Policies , 2010, 2010 International Conference on Availability, Reliability and Security.

[11]  M. Shaw,et al.  Induction of fuzzy decision trees , 1995 .

[12]  Andreas Schaad,et al.  Deriving XACML Policies from Business Process Models , 2007, WISE Workshops.

[13]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[14]  Vadim Zaliva,et al.  Firewall Policy Modeling , Analysis and Simulation : a Survey , 2008 .

[15]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.