BP-XACML an Authorisation Policy Language for Business Processes
نویسندگان
چکیده
XACML has become the defacto standard for enterprisewide, policy-based access control. It is a structured, extensible language that can express and enforce complex access control policies. There have been several efforts to extend XACML to support specific authorisation models, such as the OASIS RBAC profile to support Role Based Access Control. A number of proposals for authorisation models that support business processes and workflow systems have also appeared in the literature. However, there is no published work describing an extension to allow XACML to be used as a policy language with these models. This paper analyses the specific requirements of a policy language to express and enforce business process authorisation policies. It then introduces BP-XACML, a new profile that extends the RBAC profile for XACML so it can support business process authorisation policies. In particular, BP-XACML supports the notion of tasks, and constraints at the level of a task instance, which are important requirements in enforcing business process authorisation policies.
منابع مشابه
Resolving Policy Conflicts - Integrating Policies from Multiple Authors
In this paper we show that the static conflict resolution strategy of XACML is not always sufficient to satisfy the policy needs of an organisation where multiple parties provide their own individual policies. Different conflict resolution strategies are often required for different situations. Thus combining one or more sets of policies into a single XACML ‘super policy’ that is evaluated by a...
متن کاملFine-grained Access-control for the Puppet Configuration Language
System configuration tools automate the configuration and management of IT infrastructures. However these tools fail to provide decent authorisation on configuration input. In this paper we apply fine-grained authorisation of individual changes on a complex input language of an existing tool. We developed a prototype that extracts meaningful changes from the language used in the Puppet tool. Th...
متن کاملAdding Support to XACML for Dynamic Delegation of Authority in Multiple Domains
In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution ...
متن کاملA security gateway for web service protocols
The advent of Web Services and service-oriented architectures is fundamentally changing the way we build our internal systems and how internal and external systems interact with each other. To reduce the costs of software systems while at the same time increasing the capabilities of the systems, more and more companies and organisations are adopting their IT systems to Web Service technologies....
متن کاملSecure Federated Authentication and Authorisation to GRID Portal Applications using SAML and XACML
Internationally, the need for federated Identity & Access Management continues to grow, as it allows users to get Single Sign-On access to external resources (a.k.a. Service Providers) using their home account and some attributes that are being released securely by their home organization (a.k.a. Identity Providers). In other words, it solves the problem of service providers needing to create a...
متن کامل