Abstract
Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.
In distributed systems, e. g., based on the service-oriented architecture (soa), the time for evaluating access control constraints depends significantly on the protocol between the central Policy Decision Point (pdp) and the distributed Policy Enforcement Points (peps).
In this paper, we present a policy-driven approach for generating customized protocol for the communication between the pdp and the peps. We provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anderson, A.H.: A comparison of two privacy policy languages: epal and xacml. In: ACM workshop on Secure Web services (SWS), pp. 53–60. ACM Press, New York (2006)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (epal 1.2). Tech. rep., ibm (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal
Basel Committee on Banking Supervision: Basel II: International convergence of capital measurement and capital standards. Tech. rep., Bank for International Settlements, Basel, Switzerland (2004), http://www.bis.org/publ/bcbsca.htm
Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. acm Transactions on Software Engineering and Methodology 15(1), 39–91 (2006)
Brucker, A.D., Doser, J., Wolff, B.: An mda framework supporting ocl. Electronic Communications of the easst 5 (2006)
Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: permis: a modular authorization infrastructure. Concurrency and Computation: Practice & Experience 20(11), 1341–1357 (2008)
Chen, H., Li, N.: Constraint generation for separation of duty. In: acm symposium on access control models and technologies (sacmat), pp. 130–138. ACM Press, New York (2006)
Crampton, J., Leung, W., Beznosov, K.: The secondary and approximate authorization model and its application to Bell-LaPadula policies. In: acm symposium on access control models and technologies (sacmat), pp. 111–120. ACM Press, New York (2006)
Kapsalis, V., Hadellis, L., Karelis, D., Koubias, S.: A dynamic context-aware access control architecture for e-services. Computers & Security 25(7), 507–521 (2006)
Karjoth, G.: Access control with ibm Tivoli access manager. acm Transactions on Information and System Security 6(2), 232–257 (2003)
Kohler, M., Brucker, A.D., Schaad, A.: ProActive Caching: Generating caching heuristics for business process environments. In: Conference on Computational Science and Engineering (cse), vol. 3, pp. 207–304. IEEE Computer Society, Los Alamitos (2009)
Kohler, M., Schaad, A.: Pro active access control for business process-driven environments. In: Annual Computer Security Applications Conference (acsac) (2008)
Liu, A.X., Chen, F., Hwang, J., Xie, T.: XEngine: A fast and scalable xacml policy evaluation engine. In: Conference on Measurement and Modeling of Computer Systems, Sigmetrics (2008)
Miseldine, P.L.: Automated xacml policy reconfiguration for evaluation optimisation. In: Software engineering for secure systems (sess), pp. 1–8. ACM Press, New York (2008)
OASIS: eXtensible Access Control Markup Language (xacml) 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip
Sarbanes, P., Oxley, G., et al.: Sarbanes-Oxley Act of 2002. 107th Congress Report, House of Representatives, pp. 107–610 (2002)
Schaad, A., Spadone, P., Weichsel, H.: A case study of separation of duty properties in the context of the Austrian “eLaw” process. In: acm symposium on applied computing (SAC), pp. 1328–1332. ACM Press, New York (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Brucker, A.D., Petritsch, H. (2010). Idea: Efficient Evaluation of Access Control Constraints. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)