XML-based access control languages (original) (raw)
Related papers
Formalisation and Implementation of the XACML Access Control Mechanism
Lecture Notes in Computer Science, 2012
We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development.
An XML-Based Policy Model for Access Control in Web Applications
Lecture Notes in Computer Science, 2013
Organizational Information Systems (IS) collect, store, and manage personal and business data. Due to regulation laws and to protect the privacy of users, clients, and business partners, these data must be kept private. This paper proposes a model and a mechanism that allows defining access control policies based on the user profile, the time period, the mode and the local from where data can be accessed. The proposed policy model is simple enough to be used by a business manager, yet it has the flexibility to define complex restrictions. At runtime, an independent protection layer monitors data accesses and enforces existing policies. A prototype tool was implemented to run an experimental evaluation, which showed that the tool is able to enforce access control with minimal performance impact, while assuring scalability both in terms of the number of users and the number of policies.
Credential-Based Policies Management in an Access Control Framework Protecting XML Resources
Lecture Notes in Computer Science, 2006
XML has been widely adopted for Web data representation under various applications (such as DBMSs, Digital Libraries etc). Therefore, access to XML data sources has become a crucial issue. In this paper we introduce a credential-based access control framework for protecting XML resources. Under this framework, we propose the use of access policy files containing policies concerning a specific credentials type. Moreover, we propose the reorganization of the policies in these files based on their frequency of use (the more frequently it is used the higher in the file it is placed). Our main goal is to improve request servicing times. Several experiments have been conducted which are carried out either on single request or on multiple requests base. The proposed framework is proven quite beneficial for protecting XML-based frameworks such as digital libraries or any other data resources whose format is expressed in XML.
First experiences using XACML for access control in distributed systems
… on XML security, 2003
Authorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards that define authentication mechanisms, the standards that address authorization are less well defined and tend to work only within homogeneous systems. This paper presents XACML, a standard access control language, as one component of a distributed and inter-operable authorization framework. Several emerging systems which incorporate XACML are discussed. These discussions illustrate how authorization can be deployed in distributed, decentralized systems. Finally, some new and future topics are presented to show where this work is heading and how it will help connect the general components of an authorization system.
XML-Based Distributed Access Control System
Lecture Notes in Computer Science, 2002
The use of attribute certificates and the concept of mobile policies have been proposed to overcome some of the limitations of the role based access control (RBAC) paradigm and to implement security requirements such as the "originator controlled" (ORCON) policy. Mobile policies are attached to the data that they control and enforced by their execution in trusted servers. In this paper we extend this idea to allow the execution of the policies in untrusted systems. Our extension allows policies to be bound to the data but not attached to. Through this modification security administrators are able to change policies dynamically and transparently. Additionally, we introduce X-ACS, an XML-based language designed to express policies in a simple and unambiguous way overcoming the limitations of other approaches. Important features of X-ACS are that it can be used by processors with limited capabilities such as smart cards while allowing the automated validation of policies.
Interoperable access control policies: A XACML and RIF demonstration
2009
eXtensible Access Control Markup Language (XACML), an OASIS standard language for the specification of access control rules, has been widely deployed in many Web-based systems. However, many domains still use their custom solutions to manage authorizations. This makes collaboration between and integration over applications and domains using disparate policy language difficult and requires prior negotiation and agreement between them. Rule Interchange Format (RIF) is an interlingua being developed at W3C to allow the exchange of rules between rule systems. We propose to express XACML as RIF in order to enable XACML policy rules to be understood by any RIF based system. In this paper, we present the design of our translator from/to XACML to/from RIF by mapping XACML constructs to RIF. Our translator will enable the exchange of RIF encoded XACML rules among different policy systems.
… and System Security ( …, 2005
Modern day enterprises exhibit a growing trend toward adoption of enterprise computing services for efficient resource utilization, scalability, and flexibility. These environments are characterized by heterogeneous, distributed computing systems exchanging enormous volumes of time-critical data with varying levels of access control in a dynamic business environment. The enterprises are thus faced with significant challenges as they endeavor to achieve their primary goals, and simultaneously ensure enterprise-wide secure interoperation among the various collaborating entities. Key among these challenges are providing effective mechanism for enforcement of enterprise policy across distributed domains, ensuring secure content-based access to enterprise resources at all user levels, and allowing the specification of temporal and nontemporal context conditions to support fine-grained dynamic access control. In this paper, we investigate these challenges, and present X-GTRBAC, an XML-based GTRBAC policy specification language and its implementation for enforcing enterprise-wide access control. Our specification language is based on the GTRBAC model that incorporates the content-and context-aware dynamic access control requirements of an enterprise. An X-GTRBAC system has been implemented as a Java application. We discuss the salient features of the specification language, and present the software architecture of our system. A comprehensive example is included to discuss and motivate the applicability of the X-GTRBAC framework to a generic enterprise environment. An application level interface for implementing the policy in the X-GTRBAC system is also provided to consolidate the ideas presented in the paper.
DOI 10.1007/s12243-008-0050-5 XeNA: an access negotiation framework using XACML
2014
XeNA is a new model for the negotiation of access within an extended eXtensible Access Control Markup Language (XACML) architecture. We bring together trust management through a negotiation process and access control management within the same architecture. The negotiation process based on resource classification methodology occurs before the access control management. A negotiation module at the core of this negotiation process is in charge of collecting resources required to establish a level of trust and to insure a successful evaluation of access. The access control management is based on an extended Role-Based Access Control (RBAC) profile of XACML. This extended profile responds to advanced access control requirements and allows the expression of several access control models within XACML.
Xml access control systems: A component-based approach
2002
We recently proposed an access control model for XML information that permits the definition of authorizations at a fine granularity. We here describe the design and implementation of an Access Control Processor based on the above-mentioned model. We also present the major issues arising when integrating it into the framework of a component-based Web server system.
XeNA: an access negotiation framework using XACML
annals of telecommunications - annales des télécommunications, 2008
XeNA is a new model for the negotiation of access within an extended eXtensible Access Control Markup Language (XACML) architecture. We bring together trust management through a negotiation process and access control management within the same architecture. The negotiation process based on resource classification methodology occurs before the access control management. A negotiation module at the core of this negotiation process is in charge of collecting resources required to establish a level of trust and to insure a successful evaluation of access. The access control management is based on an extended Role-Based Access Control (RBAC) profile of XACML. This extended profile responds to advanced access control requirements and allows the expression of several access control models within XACML.