An access control framework for security policies with complex constraints

Most of current access control systems are not expressive enough for current applications, in the sense that they cannot express several access control policies required by them. Most of these applications have no choice but to build their owned very specific access control systems completely independently from other applications running on the same environment, which entails potential incoherencies and management problems. Thus the development of expressive access control systems able to accommodate the needs of current applications is essential. However, the increment on expressiveness should not compromise the performance of the mechanisms which enforce the policies, neither should it contribute for the incoherency of those policies. In this dissertation it is developed an access control framework which is flexible enough to accommodate most access control policies required by current applications and simultaneously ensures coherency and performance of policy enforcement. The framework is capable to express and enforce several access control policies which are usually only expressed and enforce within specific applications. Namely, history-based policies and obligation-based policies. The complexity and size of access control policies for large organizations raises scale problems both in terms of performance and in terms of policy design. The developed framework addresses both issues. The first one is minimized by an index generated by the policy language compiler developed within the framework. The second is minimized by the structure of the policy language itself, which allows for composition and redefinition of access control policies. The coherency of access control policies expressed and enforced by the framework is achieved by a incoherency detection tool which is able to detect several types of policy incoherencies, including several identified by this dissertation.