Article

Cassandra: Distributed Access Control Policies with Tunable Expressiveness

POLICY '04: Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks

Page 159

Published: 07 June 2004 Publication History

Abstract

We study the specification of access control policy inlarge-scale distributed systems. Our work on real-worldpolicies has shown that standard policy idioms such as rolehierarchy or role delegation occur in practice in many subtle variants. A policy specification language should therefore be able to express this variety of features smoothly,rather than add them as specific features in an ad hoc way,as is the case in many existing languages.We present Cassandra, a role-based trust managementsystem with an elegant and readable policy specificationlanguage based on Datalog with constraints. The expressiveness (and computational complexity) of the languagecan be adjusted by choosing an appropriate constraint domain. With just five special predicates, we can easily express a wide range of policies including role hierarchy,role delegation, separation of duties, cascading revocation, automatic credential discovery and trust negotiation. Cassandra has a formal semantics for query evaluation andfor the access control enforcement engine. We use a goal-oriented distributed policy evaluation algorithm that is efficient and guarantees termination. Initial performance results for our prototype implementation have been promising.

Cited By

View all

Maier DTekle KKifer MWarren D(2018)DatalogDeclarative Logic Programming10.1145/3191315.3191317(3-100)Online publication date: 1-Sep-2018
https://dl.acm.org/doi/10.1145/3191315.3191317
Karumanchi SLi JSquicciarini ABertino ESandhu RPretschner A(2016)Efficient Network Path Verification for Policy-routedQueriesProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857715(319-328)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857715
Yu YAfanasyev AClark Dclaffy kJacobson VZhang LSolis ICarzaniga ARamakrishnan K(2015)Schematizing Trust in Named Data NetworkingProceedings of the 2nd ACM Conference on Information-Centric Networking10.1145/2810156.2810170(177-186)Online publication date: 30-Sep-2015
https://dl.acm.org/doi/10.1145/2810156.2810170
Show More Cited By

Index Terms

Cassandra: Distributed Access Control Policies with Tunable Expressiveness

Recommendations

Cassandra: Flexible Trust Management, Applied to Electronic Health Records
CSFW '04: Proceedings of the 17th IEEE workshop on Computer Security Foundations

We study the specification of access control policy inlarge-scale distributed systems. We present Cassandra, alanguage and system for expressing policy, and the resultsof a substantial case study, a security policy for a nationalElectronic Health Record ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Session-aware rbac administration, delegation, and enforcement with xacml

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

POLICY '04: Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks

June 2004

ISBN:076952141X

Publisher

IEEE Computer Society

United States

Publication History

Published: 07 June 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Maier DTekle KKifer MWarren D(2018)DatalogDeclarative Logic Programming10.1145/3191315.3191317(3-100)Online publication date: 1-Sep-2018
https://dl.acm.org/doi/10.1145/3191315.3191317
Karumanchi SLi JSquicciarini ABertino ESandhu RPretschner A(2016)Efficient Network Path Verification for Policy-routedQueriesProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857715(319-328)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857715
Yu YAfanasyev AClark Dclaffy kJacobson VZhang LSolis ICarzaniga ARamakrishnan K(2015)Schematizing Trust in Named Data NetworkingProceedings of the 2nd ACM Conference on Information-Centric Networking10.1145/2810156.2810170(177-186)Online publication date: 30-Sep-2015
https://dl.acm.org/doi/10.1145/2810156.2810170
Pushkar AGhosh NGhosh S(2015)A Statistical Approach to Detect Anomalous User Requests in SaaS Cloud-Centric CollaborationsProceedings of the 11th International Conference on Information Systems Security - Volume 947810.1007/978-3-319-26961-0_15(243-262)Online publication date: 16-Dec-2015
https://dl.acm.org/doi/10.1007/978-3-319-26961-0_15
Arkoudas KChadha RChiang J(2014)Sophisticated Access Control via SMT and Logical FrameworksACM Transactions on Information and System Security10.1145/259522216:4(1-31)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1145/2595222
Baquero AJalote PBriand LHoek A(2014)COASTmed: software architectures for delivering customizable, policy-based differential web servicesCompanion Proceedings of the 36th International Conference on Software Engineering10.1145/2591062.2591083(634-637)Online publication date: 31-May-2014
https://dl.acm.org/doi/10.1145/2591062.2591083
Hirsch AClarkson MSadeghi AGligor VYung M(2013)Belief semantics of authorization logicProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516667(561-572)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516667
Bertolissi CUttha WMight MVan Horn DGiacobazzi RAbel ASheard T(2013)Automated analysis of rule-based access control policiesProceedings of the 7th workshop on Programming languages meets program verification10.1145/2428116.2428125(47-56)Online publication date: 22-Jan-2013
https://dl.acm.org/doi/10.1145/2428116.2428125
Liu XTang SHuang QYu Z(2013)An ontology-based approach to automated trust negotiationComputer Standards & Interfaces10.1016/j.csi.2013.03.00336:1(219-230)Online publication date: 1-Nov-2013
https://dl.acm.org/doi/10.1016/j.csi.2013.03.003
Becker M(2012)Information flow in trust management systemsJournal of Computer Security10.5555/2595038.259504120:6(677-708)Online publication date: 1-Nov-2012
https://dl.acm.org/doi/10.5555/2595038.2595041
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

Cassandra: Flexible Trust Management, Applied to Electronic Health Records

PBDM: a flexible delegation model in RBAC

Session-aware rbac administration, delegation, and enforcement with xacml

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media