Advantages of a non-technical XACML notation in role-based models

As applications requiring access control and the environments in which they operate in become more complex, an acute need for better ways to manage access control rules has arisen. Decentralized access control, for example, requires sophisticated techniques for conflict detection and for managing rules across multiple applications with different rule formats. XACML is an OASIS standard whose interoperability qualities help in solving the latter problem. XACML has its own limitations, however. In particular, although it has the expressive power to specify very complex conditions like those needed in the ABAC (Attribute Based Access Control) model, users tend to avoid using its full power because of its verbosity. In this paper, we show how a non-technical notation we have proposed in our earlier work resolves this difficulty and allows users to work with a very compact and readable form of XACML rules, thus allowing them to take advantage of XACML's full expressive power. This expressive power can be exploited to write policies that are better organized. It can be easier, for example, to write a single possibly complex rule to cover a particular aspect of a policy as opposed to distributing the complexity over several rules with simpler conditions. As a result, policies are smaller, more compact, and easier to understand. Policy development becomes more manageable, allowing users to concentrate on the more central issue of choosing the model (RBAC, ABAC, PBAC or other) that is best suited to a particular application and policy. We show that using the full expressive power to better organize policies has a significant positive impact on PDP performance.

[1]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[2]  Jonathan K. Adams A Service-Centric Approach to a Parameterized RBAC Service , 2006, ArXiv.

[3]  Romain Laborde,et al.  A deployment framework for self-contained policies , 2010, 2010 International Conference on Network and Service Management.

[4]  A. Benzekri,et al.  An extensible XACML authorization decision engine for context aware applications , 2009, 2009 Joint Conferences on Pervasive Computing (JCPC).

[5]  SandhuRavi,et al.  RBAC Standard Rationale , 2007, S&P 2007.

[6]  Ramaswamy Chandramouli Application of XML tools for enterprise-wide RBAC implementation tasks , 2000, RBAC '00.

[7]  Ravi S. Sandhu,et al.  RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control" , 2007, IEEE Security & Privacy.

[8]  Günther Pernul,et al.  ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle , 2005, Sicherheit.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Stefano Paraboschi,et al.  An XACML-based privacy-centered access control system , 2009, WISG '09.

[11]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[12]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.

[13]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[14]  Christian Schläger,et al.  Supporting Attribute-based Access Control in Authorization and Authentication Infrastructures with Ontologies , 2007, J. Softw..

[15]  Stan Matwin,et al.  Strategies for Reducing Risks of Inconsistencies in Access Control Policies , 2010, 2010 International Conference on Availability, Reliability and Security.

[16]  Stan Matwin,et al.  A Non-technical User-Oriented Display Notation for XACML Conditions , 2009, MCETECH.

[17]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[18]  Carl A. Gunter,et al.  Enhancing Database Access Control with XACML Policy , 2009 .

[19]  Peter J. Stuckey,et al.  Flexible access control policy specification with constraint logic programming , 2003, TSEC.

[20]  Along Lin,et al.  Integrating Policy-Driven Role Based Access Control with the Common Data Security Architecture , 1999 .

[22]  Bernard Butler,et al.  XACML policy performance evaluation using a flexible load testing framework , 2010, CCS '10.

[23]  Bruno Crispo,et al.  Performance evaluation of XACML PDP implementations , 2008, SWS '08.