Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
Organization based access control
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Automated xacml policy reconfiguration for evaluation optimisation
Proceedings of the fourth international workshop on Software engineering for secure systems
Xengine: a fast and scalable XACML policy evaluation engine
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Policy decomposition for collaborative access control
Proceedings of the 13th ACM symposium on Access control models and technologies
Test-Driven Assessment of Access Control in Legacy Applications
ICST '08 Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation
A Model-Based Framework for Security Policy Specification, Deployment and Testing
MoDELS '08 Proceedings of the 11th international conference on Model Driven Engineering Languages and Systems
Transforming and Selecting Functional Test Cases for Security Policy Testing
ICST '09 Proceedings of the 2009 International Conference on Software Testing Verification and Validation
Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation
POLICY '09 Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks
MyABDAC: compiling XACML policies for attribute-based database access control
Proceedings of the first ACM conference on Data and application security and privacy
Defining and measuring policy coverage in testing access control policies
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
Toward a model-driven access-control enforcement mechanism for pervasive systems
Proceedings of the Workshop on Model-Driven Security
Hi-index | 0.00 |
In order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of real-life Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.