Conflicts in Policy-Based Distributed Systems Management
IEEE Transactions on Software Engineering
Conflict Resolution Using Logic Programming
IEEE Transactions on Knowledge and Data Engineering
Supporting Multiple Access Control Policies in Database Systems
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
An access control framework for business processes for web services
Proceedings of the 2003 ACM workshop on XML security
Conflict and combination in privacy policy languages
Proceedings of the 2004 ACM workshop on Privacy in the electronic society
Extending Relational Database Systems to Automatically Enforce Privacy Policies
ICDE '05 Proceedings of the 21st International Conference on Data Engineering
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
Conflict Detection and Resolution in Context-Aware Authorization
AINAW '07 Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops - Volume 01
ITNG '07 Proceedings of the International Conference on Information Technology
XACML Policy Integration Algorithms
ACM Transactions on Information and System Security (TISSEC)
An Algorithmic Approach to Authorization Rules Conflict Resolution in Software Security
COMPSAC '08 Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference
Performance evaluation of XACML PDP implementations
Proceedings of the 2008 ACM workshop on Secure web services
Patient-centric authorization framework for sharing electronic health records
Proceedings of the 14th ACM symposium on Access control models and technologies
Access control policy combining: theory meets practice
Proceedings of the 14th ACM symposium on Access control models and technologies
Analysis of privacy and security policies
IBM Journal of Research and Development
Usable privacy and security in personal health records
INTERACT'11 Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV
Using middleware as a certifying authority in LBS applications
DNIS'11 Proceedings of the 7th international conference on Databases in Networked Information Systems
Selective and confidential message exchange in vehicular ad hoc networks
NSS'12 Proceedings of the 6th international conference on Network and System Security
| Hi-index | 0.00 |
Policy-based authorization systems are becoming more common as information systems become larger and more complex. In these systems, to authorize a requester to access a particular resource, the authorization system must verify that the policy authorizes the access. The overall authorization policy may consist of a number of policy groups, where each group consists of policies defined by different entities. Each policy contains a number of authorization rules. The access request is evaluated against these policies, which may produce conflicting authorization decisions. To resolve these conflicts and to reach a unique decision for the access request at the rule and policy level, rule and policy combination algorithms are used. In the current systems, these rule and policy combination algorithms are defined on a static basis during policy composition, which is not desirable in dynamic systems with fast changing environments. In this paper, we motivate the need for changing the rule and policy combination algorithms dynamically based on contextual information. We propose a framework that supports this functionality and also eliminates the need to recompose policies if the owner decides to change the combination algorithm. It provides a novel method to dynamically add and remove specialized policies, while retaining the clarity and modularity in the policies. The proposed framework also provides a mechanism to reduce the set of potential target matches, thereby increasing the efficiency of the evaluation mechanism. We developed a prototype system to demonstrate the usefulness of this framework by extending some basic capabilities of the XACML policy language. We implemented these enhancements by adding two specialized modules and several new combination algorithms to the Sun XACML engine.