XeNA: an access negotiation framework using XACML (original) (raw)

DOI 10.1007/s12243-008-0050-5 XeNA: an access negotiation framework using XACML

2014

XeNA is a new model for the negotiation of access within an extended eXtensible Access Control Markup Language (XACML) architecture. We bring together trust management through a negotiation process and access control management within the same architecture. The negotiation process based on resource classification methodology occurs before the access control management. A negotiation module at the core of this negotiation process is in charge of collecting resources required to establish a level of trust and to insure a successful evaluation of access. The access control management is based on an extended Role-Based Access Control (RBAC) profile of XACML. This extended profile responds to advanced access control requirements and allows the expression of several access control models within XACML.

Access negotiation within xacml architecture

Web services offer a possibility of exchanging data between entities from different organizational bounderies. Keeping sensitive resources private in a public world is a common concern of service providers. Thus, there is a need for access control management at the level of the web services in addition to a prior negotiation of access. This negotiation is the first step in the access control management to establish trust and gather the needed resources for access request's evaluation. We propose in this article an negotiation methodology based on resource classification. This methodology is used in the negotiation process. We present the architecture used for negotiation of access and access control management. We decide to use the XACML architecture since we have proposed to investigate the web service applications. Thus, we choose the extended RBAC profile of XACML. This extended profile responds to advanced access control requirements and allows the expression of several access control models within XACML.

Formalisation and Implementation of the XACML Access Control Mechanism

Lecture Notes in Computer Science, 2012

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development.

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control - ABAC '16, 2016

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

Extensible access control markup language (xacml)

Standardview, 2003

This specification registers an XML-based media type for the eXtensible Access Control Markup Language (XACML). Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7061.

XML-based access control languages

Information Security Technical Report, 2004

One of the most challenging problems in managing large, distributed, and heterogeneous networked systems is specifying and enforcing security policies regulating interactions between parties and access to services and resources. Recent proposals for specifying and exchanging access control policies adopt XML-based languages. XML appears in fact a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended and the widespread support that it enjoys from all the main platform and tool vendors. In this chapter, we first investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration in designing an access control language for Internet information systems. We then focus on XML-based access control languages and, in particular, on the eXtensible Access Control Markup Language (XACML), a recent OASIS standardization effort. XACML is designed to express authorization policies in XML against objects that are themselves identified in XML. The language can represent the functionalities of most policy representation mechanisms.

First experiences using XACML for access control in distributed systems

… on XML security, 2003

Authorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards that define authentication mechanisms, the standards that address authorization are less well defined and tend to work only within homogeneous systems. This paper presents XACML, a standard access control language, as one component of a distributed and inter-operable authorization framework. Several emerging systems which incorporate XACML are discussed. These discussions illustrate how authorization can be deployed in distributed, decentralized systems. Finally, some new and future topics are presented to show where this work is heading and how it will help connect the general components of an authorization system.

Interoperable access control policies: A XACML and RIF demonstration

2009

eXtensible Access Control Markup Language (XACML), an OASIS standard language for the specification of access control rules, has been widely deployed in many Web-based systems. However, many domains still use their custom solutions to manage authorizations. This makes collaboration between and integration over applications and domains using disparate policy language difficult and requires prior negotiation and agreement between them. Rule Interchange Format (RIF) is an interlingua being developed at W3C to allow the exchange of rules between rule systems. We propose to express XACML as RIF in order to enable XACML policy rules to be understood by any RIF based system. In this paper, we present the design of our translator from/to XACML to/from RIF by mapping XACML constructs to RIF. Our translator will enable the exchange of RIF encoded XACML rules among different policy systems.

XACML and Risk-Aware Access Control

Risk-aware access control (RAAC) has shown promise as an approach to addressing the increasing need to share information securely in dynamic environments. For such models to realise their promise, however, principled, standard-based software engineering methods are essential. XACML is an XML-based OASIS standard for the specification and evaluation of access control policies. In this paper we explore the use of XACML as a means of implementing RAAC. We abstract core components of RAAC relevant to risk management, and show how these may be implemented using standard XACML features.

An XML-based language for access control specifications in an RBAC environment

2003

Lately, Web-accessed resources have superceded the resources accessed by local or wide-area networks. Therefore, new mechanisms should be implemented for protecting resources from unknown clients. Attribute Certificates is a quite new technology offering such functionality. Those certificates are issued by Attribute Authorities validating the attributes of the owner of the certificate. Based on this technology an XML-based access control mechanism is introduced for protecting any kind of resources (from both known and unknown clients). The proposed model is ultimately rolebased since both clients and protected resources are organized into roles. Moreover, an XML-based language is introduced to express roles, authorizations, delegation rules, hierarchies and certificates.