Towards a Full Support of Obligations in XACML
نویسندگان
چکیده
Policy-based systems rely on the separation of concerns, by implementing independently a software system and its associated security policy. XACML (eXtensible Access Control Markup Language) proposes a conceptual architecture and a policy language to reflect this ideal design of policy-based systems. However, while rights are well-captured by authorizations, duties, also called obligations, are not well managed by XACML architecture. The current version of XACML lacks (1) well-defined syntax to express obligations and (2) an unified model to handle decision making w.r.t. obligation states and the history of obligations fulfillment/violation. In this work, we propose an extension of XACML reference model that integrates obligation states in the decision making process. We have extended XACML language and architecture for a better obligations support and have shown how obligations are managed in our proposed extended XACML architecture: OB-XACML.
منابع مشابه
Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications
The paper summarises the recent and on-going developments and discussions in the Grid security community to built interoperable and scalable AuthZ infrastructure for distributed applications. The paper provides a short overview of the XACML policy format and policy obligations definition in the XACML specification. The paper analyses the basic use cases for obligations in computer Grids and on-...
متن کاملXACML and Risk-Aware Access Control
Over the last few years there has been a rapid development of technologies such as ubiquitous computing and distributed multi-agent systems. As a consequence an increasing need to share information securely in a distributed dynamic environment has arisen. Risk-aware access control (RAAC) has recently shown promise as an approach to addressing this need of flexible and dynamical access control r...
متن کاملObligations for Privacy and Confidentiality in Distributed Transactions
Existing access control systems are typically unilateral in that the enterprise service provider assigns the access rights and makes the access control decisions, and there is no negotiation between the client and the service provider. As access management systems lean towards being user-centric, unilateral approaches can no longer adequately preserve the user’s privacy, particularly where the ...
متن کاملA Prototype for Enforcing Usage Control Policies Based on XACML
The OASIS XACML standard emerged as a pure declarative language allowing to express access control. Later, it was enriched with the concept of obligations which must be carried out when the access is granted or denied. In our previous work, we presented U-XACML, an extension of XACML that allows to express Usage Control (UCON). In this paper we propose an architecture for the enforcement of U-X...
متن کاملFine-grained integration of access control policies
Collaborative and distributed applications, such as dynamic coalitions and virtualized grid computing, often require integrating access control policies of collaborating parties. Such an integration must be able to support complex authorization specifications and the finegrained integration requirements that the various parties may have. In this paper, we introduce an algebra for fine-grained i...
متن کامل