Decision Diagrams for XACML Policy Evaluation and Management

One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2015-03, Vol.49, p.1-16
Main Authors: Ngo, Canh, Demchenko, Yuri, de Laat, Cees
Format: Article
Language:English
Subjects:
Access control
Authorization
Decision diagram
Decision making models
Diagrams
Extensible Markup Language
Interval partition processing
Policy evaluation
Semantics
Studies
XACML
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2014.11.003