A Policy-Oriented Language for Expressing Security Specifications

Organizations’ authorization policies are usually described by access control rules enforced on each protected object scattered all over the organization. Having a single global security policy specification would promote both security clarity and coherency [4, 9, 18, 31, 37]. Having a single security model for the whole organization, a single point of management and enforcement with a innumerous set of unknown users, does not scale well. However, both the policy enforcement and the mapping of unknown users to known entities [28] can be decoupled from the specification; thus, having a single global security policy decoupled from the enforcement and from the mapping of unknown users promotes clarity and coherency without compromising scalability. This work presents a security policy language which is able to express simultaneously many different types of models, which is essential to handle all the policies used on a complex organization. The proposed language can express the concepts of permission and prohibition, and some restricted forms of obligation. We show how to express and implement obligation using the transaction concept. We also address the problem of incoherent policies and show how to efficiently enforce the security policies expressed by the language with a security access monitor, implemented in java, including history-based and obligation-based security policies.