Open Access Open Access  Restricted Access Subscription Access

Design and Evaluation of XACML Conflict Policies Detection Mechanism


Affiliations
1 Computer Science and Engineering, Panjab University, Chandigarh, India
 

The evolution of distributed computing technologies like grid computing, peer-to-peer computing, pervasive computing, ubiquitous computing, autonomic computing, cloud computing etc. has led to the development of complex virtual systems. These systems enable sharing of resources and services distributed over geographically dispersed, heterogeneous, autonomous administrative domains and allow one to efficiently perform a compute or storage intensive task by harnessing the features available over other domains. The resources and services provided by service providers are generally protected by complex access control policies. These access control policies are expressed using policy specification languages. One of the popular, exhaustive and feature rich access control policy specification language is XACML, which is an OASIS standard also. The XACML policies are specified either manually or using automated XACML policy specification tools. Among major problems that policy administrators face is the problem of conflict policies. Conflict policies can have serious consequences and may lead to unauthorized access. This paper presents the design, implementation and evaluation of a conflict policy detection mechanism that can be used by policy administrators to proactively detect conflict XACML policies present in a policy database. This saves administrators and initiators of job from unnecessary problems arising due to presence of conflicts. The mechanism presented is simple, scalable, efficient and can be used to detect policies conflicting with respect to subject, resource, and action attributes. The mechanism has been evaluated by simulating a distributed policy based authorization and XACML access control system. A number of conflict policies of different nature have been injected in the policy database and conflicts have been identified through proposed XACML conflict policy detection algorithm. The implementation results show that the mechanism efficiently detects conflict policies having conflicts with respect to subject, resource and action attributes. This demonstrates that the approach is workable and can be used to detect conflict policies among a set of XACML policies.

Keywords

XACML, Access Control Policies, Conflict Policies, Policy-Based Authorization Framework.
User
Notifications
Font Size

Abstract Views: 423

PDF Views: 180




  • Design and Evaluation of XACML Conflict Policies Detection Mechanism

Abstract Views: 423  |  PDF Views: 180

Authors

Kamalbir Singh
Computer Science and Engineering, Panjab University, Chandigarh, India
Sarbjeet Singh
Computer Science and Engineering, Panjab University, Chandigarh, India

Abstract


The evolution of distributed computing technologies like grid computing, peer-to-peer computing, pervasive computing, ubiquitous computing, autonomic computing, cloud computing etc. has led to the development of complex virtual systems. These systems enable sharing of resources and services distributed over geographically dispersed, heterogeneous, autonomous administrative domains and allow one to efficiently perform a compute or storage intensive task by harnessing the features available over other domains. The resources and services provided by service providers are generally protected by complex access control policies. These access control policies are expressed using policy specification languages. One of the popular, exhaustive and feature rich access control policy specification language is XACML, which is an OASIS standard also. The XACML policies are specified either manually or using automated XACML policy specification tools. Among major problems that policy administrators face is the problem of conflict policies. Conflict policies can have serious consequences and may lead to unauthorized access. This paper presents the design, implementation and evaluation of a conflict policy detection mechanism that can be used by policy administrators to proactively detect conflict XACML policies present in a policy database. This saves administrators and initiators of job from unnecessary problems arising due to presence of conflicts. The mechanism presented is simple, scalable, efficient and can be used to detect policies conflicting with respect to subject, resource, and action attributes. The mechanism has been evaluated by simulating a distributed policy based authorization and XACML access control system. A number of conflict policies of different nature have been injected in the policy database and conflicts have been identified through proposed XACML conflict policy detection algorithm. The implementation results show that the mechanism efficiently detects conflict policies having conflicts with respect to subject, resource and action attributes. This demonstrates that the approach is workable and can be used to detect conflict policies among a set of XACML policies.

Keywords


XACML, Access Control Policies, Conflict Policies, Policy-Based Authorization Framework.