Pii: S0169-023x(02)00127-1

EXtensible Markup Language (XML) security has become a relevant research topic due to the widespread use of XML as the language for information interchange and document definition over the Web. In this context, developing an access control mechanism in terms of XML is an important step for Web information security. In this paper, we present the protection and administration facilities of Author-X, a Java-based system for discretionary access control to XML documents. Relevant features of Author-X are both a set-oriented and a document-oriented credential-based document protection, a differentiated protection of document/document type contents through the support of multi-granularity protection objects and positive/negative authorizations, and the support for different access control strategies. In this paper, we focus on the strategies we have developed for enforcing access control. Additionally, we provide a description of the environment we have developed to help the Security Officer in performing administrative activities related to both security policy and subject credential management. 2002 Elsevier Science B.V. All rights reserved.