research-article

Deductive policies with XACML

Authors:

Manuel Sánchez CuencaAuthors Info & Claims

SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

Pages 37 - 44

https://doi.org/10.1145/1655121.1655130

Published: 13 November 2009 Publication History

Abstract

SaaS technology might comprise of a bundle of different services provided by different entities. Thus monolithic access policies are not feasible as each of the service partners and the companies using the service would have to provide their internal and potentially confidential rules on which they base their policies. In addition internal information such as concrete position of the user or affiliation to a specific project might be utilized in the policies and should not be provided to any external entity.

Deduction of decisions has been investigated for more than a decade, but no widely spread standard has been defined, so far. OASIS XACML is being used in many applications and services nowadays. Additionally, tools for modeling the policies are available and many engineers share common understanding of this approach. In this paper we present an extension of the XACML language to support deduction of decisions, together with a distributed definition of the policies and at the same time avoiding problems known from current solutions on deductive policy languages.

References

[1]

Piero Bonatti, Sabrina de Capitani di Vimercati, and Pierangela Samarati. A modular approach to composing access control policies. In Proceedings of the 7th Conference on Computer and Communications Security (CCS-7), pages 164--173, Athens, Greece, November 1-4 2000. ACM Press.

Digital Library

[2]

Glenn Bruns, Daniel S Dantas, and Michael Huth. A simple and expressive semantic framework for policy composition in access control. In FMSE '07:Proceedings of the 2007 ACM workshop on Formal methods in security engineering, pages 12--21, New York, NY, USA, 2007. ACM.

Digital Library

[3]

David Chadwick, Sassa Otenko, and Tuan Nguyen. Adding support to xacml for dynamic delegation of authority in multiple domains. Communications and Multimedia Security, pages 67--86, 2006.

Digital Library

[4]

David W. Chadwick and Stijn F. Lievens. Enforcing "sticky" security policies throughout a distributed application. In MidSec '08: Proceedings of the 2008 workshop on Middleware security, pages 1--6, New York, NY, USA, 2008. ACM.

Digital Library

[5]

David W Chadwick, Linying Su, and Romain Laborde. Coordinating Access Control in Grid Services. Concurrency and Computation: Practice and Experience, 20(9):1071--1094, June 2008.

Digital Library

[6]

Internet2 Middleware Architecture Committee for Education - Directory Working Group (MACE-Dir). eduPerson Object Class Specification, April 2006.

[7]

Sushil Jajodia, Pierangela Samarati, V. S. Subrahmanian, and Eliza Bertino. A Unified Framework for Enforcing Multiple Access Control Policies Security. In Proceedings of the ACM SIGMOD International Conference on Management of Data, volume 26,2 of SIGMOD Record, pages 474--485, New York, May 13-15 1997. ACM Press.

Digital Library

[8]

Anas Abou El Kalam, Salem Benferhat, Alexandre Miège, et al. Organization based access contro. In Proceedings of the Fourth International Workshop on Policies for Distributed Systems and Networks (Policies'03 ), page 120, Como, Italy, June 5-7 2003. IEEE Computer Society.

Digital Library

[9]

G. López, Oscar Cánovas, Joao Girao, and Antonio F. Gómez-Skarmeta. A Swift Take on Identity Management. IEEE Computer, pages 58--65, May 2009.

Digital Library

[10]

OASIS. eXtensible Access Control Markup Language (XACML) Version 2.0, February 2005. OASIS Standard.

[11]

OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, April 2009. Comittee Draft 1.

[12]

Amardo Sarma and Joao Girao. Identities in the future internet of things. Wireless Personal Communications, 49(2), May 2009. to be published.

Digital Library

[13]

TERENA. SCHema for ACademia (SCHAC): Attribute Definitions for Individual Data. Version 1.3.0, December 2006.

[14]

Allen van Gelder, Kenneth A. Ross, and John S. Schlipf. The well-founded semantics for general logic programs. Journal of the ACM, 38(3):619--649, Jul 1991.

Digital Library

[15]

Horst F. Wedde and Mario Lischka. Modular Authorization. In Proceedings of the sixth ACM Symposium on Access Control Models and Technologies (SACMAT), pages 97--105, Chantilly, Virginia, May 3-4 2001. ACM SIGSAC, ACM.

Digital Library

[16]

Horst F. Wedde and Mario Lischka. Composing Heterogenous Access Policies between Organizations. In Proceedings of the IADIS International Conference e-Society 2003, pages 477--484, Lisbon/ Portuagal, June, 3-6 2003. International Association for Development of the Information Society, IADIS Press.

Cited By

Deng FYu ZZhang LWang JFeng KKong WLi LWu J(2022)ANNPDP: An Efficient and Stable Evaluation Engine for Large-Scale Policy SetsIEEE Transactions on Services Computing10.1109/TSC.2020.302613815:4(1926-1939)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TSC.2020.3026138
Chen EZhu YZhou ZLee SWong WChu W(2022)Policychain: A Decentralized Authorization Service With Script-Driven Policy on Blockchain for Internet of ThingsIEEE Internet of Things Journal10.1109/JIOT.2021.31091479:7(5391-5409)Online publication date: 1-Apr-2022
https://doi.org/10.1109/JIOT.2021.3109147
Yu ZYan YDeng FZhang FLi Z(2022)An efficient density peak cluster algorithm for improving policy evaluation performanceScientific Reports10.1038/s41598-022-08637-812:1Online publication date: 23-Mar-2022
https://doi.org/10.1038/s41598-022-08637-8
Show More Cited By

Index Terms

Deductive policies with XACML
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Distributed systems organizing principles

Recommendations

XACBench: a XACML policy benchmark
Abstract
XACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...
Designing Fast and Scalable XACML Policy Evaluation Engines

Most prior research on policies has focused on correctness. While correctness is an important issue, the adoption of policy-based computing may be limited if the resulting systems are not implemented efficiently and thus perform poorly. To increase the ...
WiP: Enhancing the Comprehension of XACML Policies
SACMAT 2024: Proceedings of the 29th ACM Symposium on Access Control Models and Technologies

Policy comprehension is crucial for ensuring data protection. Yet, policies written in flexible and expressive languages such as XACML are not easy to comprehend. In this work, we propose a visualization framework to facilitate the comprehension of XACML ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

November 2009

70 pages

ISBN:9781605587899

DOI:10.1145/1655121

Program Chairs:
Ernesto Damiani
Università degli Studi di Milano, Italy
,
Seth Proctor
Sun Labs, USA
,
Anoop Singal
NIST, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 13, 2009

Illinois, Chicago, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
234
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Deng FYu ZZhang LWang JFeng KKong WLi LWu J(2022)ANNPDP: An Efficient and Stable Evaluation Engine for Large-Scale Policy SetsIEEE Transactions on Services Computing10.1109/TSC.2020.302613815:4(1926-1939)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TSC.2020.3026138
Chen EZhu YZhou ZLee SWong WChu W(2022)Policychain: A Decentralized Authorization Service With Script-Driven Policy on Blockchain for Internet of ThingsIEEE Internet of Things Journal10.1109/JIOT.2021.31091479:7(5391-5409)Online publication date: 1-Apr-2022
https://doi.org/10.1109/JIOT.2021.3109147
Yu ZYan YDeng FZhang FLi Z(2022)An efficient density peak cluster algorithm for improving policy evaluation performanceScientific Reports10.1038/s41598-022-08637-812:1Online publication date: 23-Mar-2022
https://doi.org/10.1038/s41598-022-08637-8
Díaz-López DDólera-Tormo GGómez-Mármol FMartínez-Pérez G(2015)Managing XACML systems in distributed environments through Meta-PoliciesComputers and Security10.1016/j.cose.2014.10.00448:C(92-115)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.cose.2014.10.004
Decat MLagaisse BVan Landuyt DCrispo BJoosen W(2013)Federated Authorization for Software-as-a-Service ApplicationsOn the Move to Meaningful Internet Systems: OTM 2013 Conferences10.1007/978-3-642-41030-7_25(342-359)Online publication date: 2013
https://doi.org/10.1007/978-3-642-41030-7_25
Biagi MGuanciale R(2013)Authorization Language for Inter‐EnterpriseEnterprise Interoperability10.1002/9781118561942.ch16(103-109)Online publication date: 21-Jan-2013
https://doi.org/10.1002/9781118561942.ch16

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents