Skip to main content
SpringerLink
Log in

Access Control Policies and Languages in Open Environments

  • Chapter
Secure Data Management in Decentralized Systems

Part of the book series: Advances in Information Security ((ADIS,volume 33))

Abstract

Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. Access control plays an important role in overall system security. The development of an access control system requires the definition of the regulations (policies) according to which access is to be controlled and their implementation as functions executable by a computer system. The access control policies are usually formalized through a security model, stated through an appropriate specification language, and then enforced by the access control mechanism enforcing the access control service. The separation between policies and mechanisms introduces an independence between protection requirements to be enforced on the one side, and mechanisms enforcing them on the other. It is then possible to: i) discuss protection requirements independently of their implementation, ii) compare different access control policies as well as different mechanisms that enforce the same policy, and iii) design mechanisms able to enforce multiple policies. This latter aspect is particularly important: if a mechanism is tied to a specific policy, a change in the policy would require changing the whole access control system; mechanisms able to enforce multiple policies avoid this drawback. The formalization phase between the policy definition and its implementation as a mechanism allows the definition of a formal model representing the policy and its working, making it possible to define and prove security properties that systems enforcing the model will enjoy [30].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi M, Lamport L (1992). Composing specifications. ACM Transactions on Programming Languages, 14(4):1–60.

    MathSciNet  Google Scholar 

  2. Ardagna CA, Damiani E, De Capitani di Vimercati S, Samarati P (2004). XML-based access control languages. Information Security Technical Report.

    Google Scholar 

  3. Atkinson B, Delia Libera GD, et al. (2002). Web services security (WS-Security). http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp.

    Google Scholar 

  4. Bell D (1994). Modeling the multipolicy machine. In Proc. of the New Security Paradigm Workshop, Little Compton, Rhode Island, USA.

    Google Scholar 

  5. Bertino E, Bettini C, Ferrari E, Samarati P (1998). An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231–285.

    Article  Google Scholar 

  6. Bertino E, Bonatti P, Ferrari E (2001). TRBAC: a temporal role-based access control method. ACM Transactions on Information and System Security, 4(3): 191–223.

    Article  Google Scholar 

  7. Bertino E, Jajodia S, Samarati P (1999). A flexible authorization mechanism for relational data management systems. ACM Transactions on Information Systems, 17(2):101–140.

    Article  Google Scholar 

  8. Blaze M, Feigenbaum J, Lacy J (1996). Decentralized trust management. In Proc. of the 1996 IEEE Symposiumon Security and Privacy, Oakland, CA, USA.

    Google Scholar 

  9. Bonatti P, De Capitani di Vimercati S, Samarati P (2002). An algebra for composing access control policies. ACM Transactions on Information and System Security, 5(1): 1–35.

    Article  Google Scholar 

  10. Bonatti P, Samarati P (2002). A unified framework for regulating access and information release on the web. Journal of Computer Security, 10(3):241–272.

    Google Scholar 

  11. Box D, et al. (2003). Web services policy assertions language (WS-PolicyAssertions) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policyassertions.asp.

    Google Scholar 

  12. Box D, et al. (2003). Web Services Policy Attachment (WS-PolicyAttachment) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policyattachment.asp.

    Google Scholar 

  13. Box D, et al. (2003). Web services policy framework (WS-Policy) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policy.asp.

    Google Scholar 

  14. Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P (2000). Securing XML documents. In Proc. of the 2000 International Conference on Extending Database Technology (EDBT2000), Konstanz, Germany.

    Google Scholar 

  15. Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P (2002). A fine-grained access control system for XML documents. ACM Transactions on Information and System Security, 5(2): 169–202.

    Article  Google Scholar 

  16. DeTreville J (2002). Binder, a logic-based security language. In Proc. of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA.

    Google Scholar 

  17. eXtensible Access Control Markup Language (XACML) Version 2.0 (2004). eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS. http://www.oasis-open.org/committees/xacml.

    Google Scholar 

  18. Farrell S, Housley R (2002). An internet attribute certificate profile for authorization. RFC 3281.

    Google Scholar 

  19. Ferraiolo D, Kuhn R (1992). Role-based access controls. In Proc. of the 15th NIST-NSA National Computer Security Conference, Baltimore, Maryland.

    Google Scholar 

  20. Gabillon A (2004). An authorization model for XML databases. In Proc. of the ACM Workshop Secure Web Services, George Mason University, Fairfax, VA, USA.

    Google Scholar 

  21. Gabillon A, Bruno E (2001). Regulating access to XML documents. In Proc. of the Fifteenth Annual IFIP WG 11.3 Working Conference on Database Security, Niagara on the Lake, Ontario, Canada.

    Google Scholar 

  22. Gelfond M, Lifschitz V (1988). The stable model semantics for logic programming. In Proc. of the 5th International Conference and Symposium on Logic Programming, Cambridge, Massachusetts.

    Google Scholar 

  23. Gladman B, Ellison C, Bohm N (1999). Digital signatures, certificates and electronic commerce, http://jya.com/bg/digsig.pdf.

    Google Scholar 

  24. Hosmer H (1992). Metapolicies II. In Proc. of the 15th National Computer Security Conference, Baltimore, MD.

    Google Scholar 

  25. Jaeger T (2001). Access control in configurable systems. Lecture Notes in Computer Science, 1603:289–316.

    Article  Google Scholar 

  26. Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001). Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(2):214–260.

    Article  MATH  Google Scholar 

  27. Jajodia S, Samarati P, Subrahmanian VS, Bertino E (1997). A unified framework for enforcing multiple access control policies. In Proc. of the 1997 ACM International SIG-MOD Conference on Management of Data, Tucson, AZ.

    Google Scholar 

  28. Jim T (2001). Sd3: A trust management system with certified evaluation. In Proc. of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA.

    Google Scholar 

  29. Kudoh M, Hirayama Y, Hada S, Vollschwitz A (2000). Access control specification based on policy evaluation and enforcement model and specification language. In Symposium on Cryptograpy and Information Security (SCIS’2000), Japan.

    Google Scholar 

  30. Landwehr CF (1981). Formal models for computer security. ACM Computing Surveys, 13(3):247–278.

    Article  Google Scholar 

  31. Li N, Feigenbaum J, Grosof B (1999). A logic-based knowledge representation for authorization with delegation. In Proc. of the 12th IEEE Computer Security Foundations Workshop, Washington, DC, USA.

    Google Scholar 

  32. Li N, Grosof B, Feigenbaum J (2003). Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security, 6(1): 128–171.

    Article  Google Scholar 

  33. Li N, Mitchell JC (2003). Datalog with constraints: A foundation for trust-management languages. In Proc. of the Fifth International Symposium on Practical Aspects of Declarative Languages (PADL 2003), New Orleans, LA, USA.

    Google Scholar 

  34. Li N, Mitchell JC, Winsborough WH (2002). Design of a role-based trust-management framework. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, USA.

    Google Scholar 

  35. McLean J (1988). The algebra of security. In Proc. of the 1988 IEEE Computer Society Symposium on Security and Privacy, Oakland, CA, USA.

    Google Scholar 

  36. Ryutov T, Zhou L, Neuman C, Leithead T, Seamons KE (2005). Adaptive trust negotiation and access control. In Proc. of the 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden.

    Google Scholar 

  37. Samarati P, De Capitani di Vimercati S (2001). Access control: Policies, models, and mechanisms. In Focardi R, Gorrieri R, editors, Foundations of Security Analysis and Design, LNCS 2171. Springer-Verlag.

    Google Scholar 

  38. Seamons KE, Winsborough W, Winslett M (1997). Internet credential acceptance policies. In Proc. of the Workshop on Logic Programming for Internet Applications, Leuven, Belgium.

    Google Scholar 

  39. Security Assertion Markup Language (SAML) V1.1 (2003). Security Assertion Markup Language (SAML) V1.1. OASIS. http://www.oasis-open.org/committees/security/.

    Google Scholar 

  40. Sterling L, Shapiro E (1997). The art of Prolog. MIT Press, Cambridge, MA.

    Google Scholar 

  41. Subrahmanian V, Adali S, Brink A, Lu J, Rajput A, Rogers T, Ross R, Ward C. Hermes: heterogeneous reasoning and mediator system. http://www.cs.umd.edu/projects/hermes.

    Google Scholar 

  42. The XACML Profile for Hierarchical Resources (2004). The XACML Profile for Hierarchical Resources. OASIS. http://www.oasis-3893open.org/committees/xacml.

    Google Scholar 

  43. van der Horst TW, Sundelin T, Seamons KE, Knutson CD (2004). Mobile trust negotiation: Authentication and authorization in dynamic mobile networks. In Proc. of the Eighth IFIP Conference on Communications and Multimedia Security, Lake Windermere, England.

    Google Scholar 

  44. Web services security policy (WS-SecurityPolicy) (2002). Web services security policy (WS-SecurityPolicy). http://www-106.ibm.com/developerworks/library/ws-secpol/.

    Google Scholar 

  45. Wijesekera D, Jajodia S (2003). A propositional policy algebra for access control. ACM Transactions on Information and System Security, 6(2):286–325.

    Article  Google Scholar 

  46. Winsborough W, Seamons KE, Jones V (2000). Automated trust negotiation. In Proc. of the DARPA Information Survivability Conf. & Exposition, Hilton Head Island, SC, USA.

    Google Scholar 

  47. Winslett M, Ching N, Jones V, Slepchin I (1997). Assuring security and privacy for digital library transactions on the web: Client and server security policies. In Proc. of the ADL’ 97 — Forum on Research and Tech. Advances in Digital Libraries, Washington, DC.

    Google Scholar 

  48. Woo TYC, Lam SS (1993). Authorizations in distributed systems: A new approach. Journal of Computer Security, 2(2,3):107–136.

    Google Scholar 

  49. World Wide Web Consortium (W3C) (2004). eXtensible Markup Language (XML) 1.0 (Third Edition). World Wide Web Consortium (W3C). http://www.w3.org/TR/REC-xml.

    Google Scholar 

  50. Yu T, Ma X, Winslett M (2000). An efficient complete strategy for automated trust negotiation over the Internet. In Proc. of the 7th ACM Computer and Communication Security, Athens, Greece.

    Google Scholar 

  51. Yu T, Winslett M (2003). A unified scheme for resource protection in automated trust negotiation. In Proc. of the IEEE Symposium on Security and Privacy, Berkeley, California.

    Google Scholar 

  52. Yu T, Winslett M, Seamons KE (2001). Interoperable strategies in automated trust negotiation. In Proc. of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania.

    Google Scholar 

  53. Yu T, Winslett M, Seamons KE (2003). Supporting structured credentials and sensitive policies trough interoperable strategies for automated trust. ACM Transactions on Information and System Security, 6(1): 1–42.

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Università degli Studi di Milano, Milano

    S. De Capitani di Vimercati, S. Foresti & P. Samarati

  2. Center of Secure Information Systems, George Mason University, USA

    S. Jajodia

Authors
  1. S. De Capitani di Vimercati
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S. Foresti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. S. Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. P. Samarati
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. Computer Science, North Carolina State University, 3254 EB II, Raleigh, NC, 27695

    Ting Yu

  2. Center for Secure Information Systems, George Mason University, 4400 University Drive, Fairfax, VA, 22030-4444

    Sushil Jajodia

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P. (2007). Access Control Policies and Languages in Open Environments. In: Yu, T., Jajodia, S. (eds) Secure Data Management in Decentralized Systems. Advances in Information Security, vol 33. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-27696-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-27696-0_2

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-27694-6

  • Online ISBN: 978-0-387-27696-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation