Reduction of access control decisions

C. Morisset, N. Zannone

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

11 Citations (Scopus)
5 Downloads (Pure)


Access control has been proposed as "the" solution to prevent unauthorized accesses to sensitive system resources. Historically, access control models use a two-valued decision set to indicate whether an access should be granted or denied. Many access control models have extended the two-valued decision set to indicate, for instance, whether a policy is applicable to an access query or an error occurred during policy evaluation. Decision sets are often coupled with operators for combining decisions from multiple applicable policies. Although a larger decision set is more expressive, it may be necessary to reduce it to a smaller set in order to simplify the complexity of decision making or enable comparison between access control models. Moreover, some access control mechanisms like XACML v3 uses more than one decision set. The projection from one decision set to the other may result in a loss of accuracy, which can affect the final access decision. In this paper, we present a formal framework for the analysis and comparison of decision sets centered on the notion of decision reduction. In particular, we introduce the notion of safe reduction, which ensures that a reduction can be performed at any level of policy composition without changing the final decision. We demonstrate the framework by analyzing XACML v3 against the notion of safe reduction. From this analysis, we draw guidelines for the selection of the minimal decision set with respect to a given set of combining operators. Keywords: Policy evaluation, access decision, XACML, formal analysis
Original languageEnglish
Title of host publication19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014, London ON, Canada, June 25-27, 2014)
Place of PublicationNew York NY
PublisherAssociation for Computing Machinery, Inc
ISBN (Print)78-1-4503-2939-2
Publication statusPublished - 2014
Event19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014) - London, Canada
Duration: 25 Jun 201427 Jun 2014
Conference number: 19


Conference19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014)
Abbreviated titleSACMAT 2014


Dive into the research topics of 'Reduction of access control decisions'. Together they form a unique fingerprint.

Cite this