A Proposal on Enhancing XACML with Continuous Usage Control Features

  • Maurizio Colombo
  • Aliaksandr Lazouski
  • Fabio Martinelli
  • Paolo Mori
Conference paper


Usage control (UCON) proposed by R. Sandhu et al. [8, 9] is an attributebased authorization model and its main novelties are mutability of attributes and continuity of control.

OASIS eXtensible Access Control Markup Language (XACML) [10] is a widely-used language to write authorization policies to protect resources in a distributed computing environment (e.g. Grid). The XACML policy specifies beforeusage authorization process optionally complemented with obligation actions fulfillment. By now, XACML has insufficient facilities to express continuous usage control afterwards an access was granted and started.

In this paper, we introduce U-XACML, a new policy language, which enhances the original XACML with the UCON novelties. We extend a syntax and semantics of the XACML policy to define mutability of attributes and continuity of control. We introduce an architecture to enforce the U-XACML policy.


Policy Language Security Policy Attribute Manager Policy Enforcement Access Control Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Colombo, M., Lazouski, A., Martinelli, E, Moff, P.: On Usage Control for Grid Services. In: The 2009 IEEE International Workshop on HPC and Grid Applications. Sanya, China (2009) Google Scholar
  2. 2.
    Damiani, M.L., Bertino, E., Silvestri, C.: Approach to supporting continuity of usage in location-based access control. In: FIDCS ‘08: Proceedings of the 2008 12th IEEE International Workshop on Future Trends of Distñbuted Computing Systems, pp. 199—205. IEEE Computer Scciety, Washington, DC, USA (2008) Google Scholar
  3. 3.
    Feng, J., Wasson, G., Humphrey, M.: Resource usage policy expression and enforcement in grid computing. IEEE/ACM International Workshop on Grid Computing pp. 66—73 (2007) Google Scholar
  4. 4.
    Hafner, M., Memon, M., Alam, M.: Modeling and enfoiting advanced access control policies in healthcare systems with Sectet. In: Models in Software Engineering: Workshops and Symposia at MoDELS, pp. 132—144. Spffnger-Verlag, Berlin, Heidelberg (2008) Google Scholar
  5. 5.
    Katt, B., Zhang, X., Breu, R., Hafner, M., Seifert, J.P.: A general obligation model and continuity: enhanced policy enfoitement engine for usage control. In: SACMAT ‘08: Prcceedings of the 13th ACM symposium on Access contiol models and technologies, pp. 123—132. ACM, New York, NY, USA (2008) Google Scholar
  6. 6.
    Martinelli, E, Mori, P., Vaccarelli, A.: Towards continuous usage control on gffd computational services. In: Proceedings of Joint International Conference on Autonornic and Autonomous Systems and International Conference on Networking and Services (ICAS-ICNS 2005), IEEE Computer Society, p. 82 (2005) Google Scholar
  7. 7.
    Naqvi, S., Massonet, P., Aziz, B., Arenas, A., Martinelli, E, Mori, P., Blasi, L., Cortese, G.: Fine-Grained Continuous Usage Control of Service Based Grids - The GridTmst Approach. In: ServiceWave ‘08: Prcceedings of the 1st European Conference on Towards a Service- Based Internet, pp. 242—253. Springer-Verlag, Berlin, Heidelberg (2008) Google Scholar
  8. 8.
    Park, J., Sandhu, R.: Towards usage contiol models: Beyond traditional access contiol. In: SACMAT ‘02: Proceedings of the seventh ACM symposium on Access control models and technologies, pp. 57—64. ACM, New York, NY, USA (2002) Google Scholar
  9. 9.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Transactions on Information and System Security 7(1), 128—174 (2004) Google Scholar
  10. 10.
    XACML: eXtensible Access Control Markup Language (XACML). Google Scholar
  11. 11.
    Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: Toward a usage-based security framework for collaborative computing systems. ACM Transactions on Information and System Security 11, (1),1—36(2008) Google Scholar

Copyright information

© Springer US 2010

Authors and Affiliations

  • Maurizio Colombo
    • 1
  • Aliaksandr Lazouski
    • 2
  • Fabio Martinelli
    • 1
  • Paolo Mori
    • 1
  1. 1.Istituto di Informatica e TelematicaConsiglio Nazionale delle RicerchePisaItaly
  2. 2.Universita di PisaPisaItaly

Personalised recommendations