XACML Policy Inconsistency Analysis and Resolution
نویسندگان
چکیده
Modality inconsistency is one of the security policy evaluation challenges, which arises because of the existence of both positive and negative authorizations for a given subject-object pair. An inconsistency analysis model is needed to discover inconsistency based on the inheritance relationship between concepts and resolved it by using predefined resolution rules. Previous studies handle modality inconsistency by providing the hierarchy of subjects and objects and simple conditions evaluation, like string equality matching. They do not identify modality inconsistency when a concept inherits conflicting decisions from its superclasses on the basis of the partially ordered structures obtained based on subject hierarchy, object hierarchy, and spatial hierarchy. An inconsistency analysis model is proposed in this paper to detect and resolve inconsistent policies during security policy evaluation. Our inconsistency analysis model analyzes all possible violations that might exist among security policies based on role hierarchy, object hierarchy, and spatial hierarchy. In addition, comparison with previous works shows that our inconsistency model is more effective in detecting inconsistency than the previous works.
منابع مشابه
Analysis and Verification of XACML Policies in a Medical Cloud Environment
The connectivity of devices, machines and people via Cloud infrastructure can support collaborations among doctors and specialists from different medical organisations. Such collaborations may lead to data sharing and joint tasks and activities. Hence, the collaborating organisations are responsible for managing and protecting data they share. Therefore, they should define a set of access contr...
متن کاملResolving Policy Conflicts - Integrating Policies from Multiple Authors
In this paper we show that the static conflict resolution strategy of XACML is not always sufficient to satisfy the policy needs of an organisation where multiple parties provide their own individual policies. Different conflict resolution strategies are often required for different situations. Thus combining one or more sets of policies into a single XACML ‘super policy’ that is evaluated by a...
متن کاملFormalizing XACML Using Defeasible Description Logics
XACML has emerged as a popular access control language on the Web, but because of its rich expressiveness, it has proved difficult to analyze in an automated fashion. Previous attempts to analyze XACML policies either use propositional logic or full First-Order logic. In this paper, we present a formalization of XACML using Description Logics (DL) . This formalization allows us to extend the su...
متن کاملFormal analysis of XACML policies using SMT
The eXtensible Access Control Markup Language (XACML) has attracted significant attention from both industry and academia, and has become the de facto standard for the specification of access control policies. However, its XML-based verbose syntax and rich set of constructs make the authoring of XACML policies difficult and error-prone. Several automated tools have been proposed to analyze XACM...
متن کاملStatistics & Clustering Based Framework for Efficient XACML Policy Evaluation
The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. A policy evaluation engine can easily become a bottleneck when enforcing large policies. In this paper we propose an adaptive approach for XACML policy optimization. We proposed a clustering technique that categorizes policies and rules within a po...
متن کامل