First experiences using XACML for access control in distributed systems

Authorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards that define authentication mechanisms, the standards that address authorization are less well defined and tend to work only within homogeneous systems. This paper presents XACML, a standard access control language, as one component of a distributed and inter-operable authorization framework. Several emerging systems which incorporate XACML are discussed. These discussions illustrate how authorization can be deployed in distributed, decentralized systems. Finally, some new and future topics are presented to show where this work is heading and how it will help connect the general components of an authorization system.

[1]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[2]  Ninghui Li,et al.  Protecting sensitive attributes in automated trust negotiation , 2002, WPES '02.

[3]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[4]  C. Goh Policy Management Requirements , 1998 .

[5]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[6]  Jim Boyle,et al.  Accept-Ranges : bytes Content-Length : 55967 Connection : close Content-Type : text / plain Internet Draft , 2012 .

[7]  Mark Bartel,et al.  Xml-Signature Syntax and Processing , 2000 .

[8]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[9]  Dennis G. Kafura,et al.  The PRIMA system for privilege management, authorization and enforcement in grid environments , 2003, Proceedings. First Latin American Web Congress.

[10]  Marianne Winslett,et al.  Protecting Privacy during On-Line Trust Negotiation , 2002, Privacy Enhancing Technologies.

[11]  Dennis G. Kafura,et al.  Supporting Secure Ad-hoc User Collaboration in Grid Environments , 2002, GRID.

[12]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[13]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[14]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[15]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.