The OPL Access Control Policy Language

Existing policy languages suffer from a limited ability of directly and elegantly expressing high-level access control principles such as history-based separation of duty [22], binding of duty [26], context constraints [24], Chinese wall properties [10], and obligations [20]. It is often difficult to extend a language in order to retrofit these features once required or it is necessary to use complicated and complex language constructs to express such concepts. The latter, however, is cumbersome and error-prone for humans dealing with policy administration. We present the flexible policy language OPL that can represent a wide range of access control principles in XML directly, by providing dedicated language constructs for each supported principle. It can be easily extended with further principles if necessary. OPL is based on a module concept, and it can easily cope with the language complexity that usually comes with a growing expressiveness. OPL is suitable to be used in an enterprise environment, since it combines the required expressiveness with the simplicity necessary for an appropriate administration.

[1]  Karsten Sohr,et al.  Implementing Advanced RBAC Administration Functionality with USE , 2008, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[2]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[3]  Marek J. Sergot,et al.  A logic-based calculus of events , 1989, New Generation Computing.

[4]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[5]  Nicodemos Constantinou Damianou,et al.  A policy framework for management of distributed systems , 2002 .

[6]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[7]  D. B. Davis,et al.  Sun Microsystems Inc. , 1993 .

[8]  Christopher Alm,et al.  An Extensible Framework for Specifying and Reasoning About Complex Role-Based Access Control Models ? , 2009 .

[9]  Mark Strembeck,et al.  An integrated approach to engineer and enforce context constraints in RBAC environments , 2004, TSEC.

[10]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.

[11]  Eduardo B. Fernández,et al.  Patterns and Pattern Diagrams for Access Control , 2008, TrustBus.

[12]  Elisa Bertino,et al.  X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control , 2005, TSEC.

[13]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[14]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[15]  Graeme Smith,et al.  The Object-Z Specification Language , 1999, Advances in Formal Methods.

[16]  Robert Biddle,et al.  Even Experts Deserve Usable Security: Design guidelines for security management systems , 2007 .

[17]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[18]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[19]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[20]  Mary Ellen Zurko,et al.  A user-centered, modular authorization service built on an RBAC foundation , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[21]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[22]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[23]  Jorge Lobo,et al.  Policies for Distributed Systems and Networks , 2001, Lecture Notes in Computer Science.

[24]  Arosha K. Bandara A formal approach to analysis and refinement of policies , 2005 .