In-Memory Policy Indexing for Policy Retrieval Points in Attribute-Based Access Control

Attribute-Based Access Control (ABAC) systems are using machine-readable rules for making access control decisions. Rules are collected in documents, the named policies, or policy sets. These are expressed in a specific policy language, such as XACML, ALFA, or SAPL. Within systems implementing the ABAC reference architecture, policy documents are persisted in a Policy Retrieval Point (PRP). This paper addresses the problem of efficiently retrieving policy documents applicable to a given authorization request (or subscription) from the PRP. Applicability is determined by a specific section of the document, commonly named target expression. The target expression consists of matching conditions, more precisely Boolean expressions based on request (or subscription) data. This paper presents a novel in-memory data structure that is used to index policy documents. The index allows retrieving documents matching a given authorization request more efficiently from a large set of policies. The empirical evaluation demonstrates, that the proposed algorithm can reduce policy retrieval time in PRPs by up to 98%, depending on the structure of the policies.

[1]  Vijayalakshmi Atluri,et al.  PolTree: A Data Structure for Making Efficient Access Decisions in ABAC , 2019, SACMAT.

[2]  Sergei Vassilvitskii,et al.  Indexing Boolean Expressions , 2009, Proc. VLDB Endow..

[3]  Peter Bro Miltersen,et al.  On converting CNF to DNF , 2003, Theor. Comput. Sci..

[4]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[5]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[6]  I. Wegener,et al.  SIMULATED ANNEALING TO IMPROVE VARIABLE ORDERINGS FOR OBDDsBeate , 1995 .

[7]  I. Wegener Branching Programs and Binary Deci-sion Diagrams-Theory and Applications , 1987 .

[8]  Hans-Arno Jacobsen,et al.  BE-tree: an index structure to efficiently match boolean expressions over high-dimensional discrete space , 2011, SIGMOD '11.

[9]  Hans-Arno Jacobsen,et al.  Analysis and optimization for boolean expression indexing , 2013, TODS.

[10]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[11]  Dominic Heutelbeck,et al.  The Structure and Agency Policy Language (SAPL) for Attribute Stream-Based Access Control (ASBAC) , 2019, ETAA@ESORICS.

[12]  Félix Gómez Mármol,et al.  Graph-based XACML evaluation , 2012, SACMAT '12.

[13]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[14]  Dennis Shasha,et al.  Filtering algorithms and implementation for very fast publish/subscribe systems , 2001, SIGMOD '01.

[15]  Marianne Winslett,et al.  Towards an efficient and language-agnostic compliance checker for trust negotiation systems , 2008, ASIACCS '08.

[16]  D. Heutelbeck Attribute Stream-Based Access Control (ASBAC)-Functional Architecture and Patterns , 2019 .