Access-Control Policy Administration in XACML
by Erik Rissanen and Babak Sadighi Firozabadi
In recent years, researchers at SICS have been looking at managing large numbers of access permissions in a dynamic and decentralized network. The main results of our work are a framework and a calculus, called privilege calculus, for access permissions and their administration.
The eXtensible Access Control Markup Language, XACML, is a very effective and now widely adopted standard language for expressing access control policies. The specification of XACML includes the language, its semantics and a framework for making access control decisions based on XACML policies. However, XACML is currently lacking an access control model for the policy itself.
The current XACML model of policy administration puts the access control of policy administration outside the policy model. To control who may edit the policy, mechanisms such as access control at the operating system level must be used. In large distributed systems, such mechanisms may prove difficult to manage. There may be a need to manage the policies in parts of the system not under the control and within the trust of a specific Policy Decision Point, for instance from a mobile device. The rights to change the policy may themselves be highly dynamic. Consequently, there is a need for the policy itself to have an access-control policy model. Our research has been focused on these issues.
The Policy-Based Reasoning group at SICS has for several years been performing research on how best to manage large numbers of access permissions in a dynamic and decentralized network. The main results of our research are a framework and a calculus, called privilege calculus. In the framework, we distinguish between access permissions and administrative permissions, both referred to as privileges. Privilege calculus allows us to reason about privileges and their administration. The core mechanism of privilege calculus is constrained delegation, which allows constraints to be put on the creation of privileges, access permissions or administrative permissions.
Recently, a number of XACML Technical Committee (TC) members have discussed the need for adding administrative support to XACML. The discussed ideas are very similar to the delegation mechanism of privilege calculus. We are now looking into the possibility of extending the current XACML specification and implementing our delegation model in SUNs open-source XACML implementation. Our work will be part of two projects the TrustCom EU FP6 project and Decentralized Authorization Management in Network-Based Defence in which we investigate the use of XACML as a policy language for distributed services in highly dynamic and decentralized networks.
Adding delegation to XACML involves defining new forms of policy that can express administrative rights, and a new processing model that can verify that delegations have been performed in an authorized manner. The new features of XACML help users to implement flexible decentralized access control management, for instance in the setting up of a large organization or joint business venture. This will reduce the administration costs of the organizations and make them more flexible. Having these features available in a standard access control language will make their use simpler and more widely adopted.
Babak Sadighi Firozabadi or Erik Rissanen, SICS, Sweden
Tel: +46 8 633 1500
E-mail: babaksics.se, mirtysics.se