Towards usage control models: beyond traditional access control
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
The Ponder Policy Specification Language
POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
A Policy Language for a Pervasive Computing Environment
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Obligation Monitoring in Policy Management
POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
Provisions and Obligations in Policy Rule Management
Journal of Network and Systems Management
The UCONABC usage control model
ACM Transactions on Information and System Security (TISSEC)
Obligation Policies: An Enforcement Platform
POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
Formal model and policy specification of usage control
ACM Transactions on Information and System Security (TISSEC)
On the modeling and analysis of obligations
Proceedings of the 13th ACM conference on Computer and communications security
Provisions and obligations in policy management and security applications
VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
A general obligation model and continuity: enhanced policy enforcement engine for usage control
Proceedings of the 13th ACM symposium on Access control models and technologies
Toward practical authorization-dependent user obligation systems
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Ensuring authorization privileges for cascading user obligations
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
On XACML's adequacy to specify and to enforce HIPAA
HealthSec'12 Proceedings of the 3rd USENIX conference on Health Security and Privacy
Beyond accountability: using obligations to reduce risk exposure and deter insider attacks
Proceedings of the 18th ACM symposium on Access control models and technologies
Hi-index | 0.00 |
Obligations are an important and indispensable part of many access control policies, such as those in DRM (Digital Rights Management) and healthcare information systems. To be able use obligations in a real-world access control system, there must exist a language for specifying obligations. However, such a language is currently lacking. XACML (eXtensible Access Control Markup Language), the current de facto standard for specifying access control policies, seems to integrate obligations as a part of it, but it treats obligations largely as black boxes, without specifying what an obligation should include and how to handle them. In this paper we examine the challenges in designing a practical approach for specifying and handling obligations, and then propose a language for specifying obligations, and an architecture for handling access control policies with these obligations, extending XACML's specification and architecture. In our design, obligations are modeled as state machines which communicate with the access control system and the outside world via events. We further implement our design into a prototype system named ExtXACML, based on SUN's XACML implementation. ExtXACML is extensible in that new obligation modules can be added into the system to handle various obligations for different applications, which shows the strong power of our design.