Reduction of access control decisions

C. Morisset, N. Zannone

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

9 Citaten (Scopus)
2 Downloads (Pure)


Access control has been proposed as "the" solution to prevent unauthorized accesses to sensitive system resources. Historically, access control models use a two-valued decision set to indicate whether an access should be granted or denied. Many access control models have extended the two-valued decision set to indicate, for instance, whether a policy is applicable to an access query or an error occurred during policy evaluation. Decision sets are often coupled with operators for combining decisions from multiple applicable policies. Although a larger decision set is more expressive, it may be necessary to reduce it to a smaller set in order to simplify the complexity of decision making or enable comparison between access control models. Moreover, some access control mechanisms like XACML v3 uses more than one decision set. The projection from one decision set to the other may result in a loss of accuracy, which can affect the final access decision. In this paper, we present a formal framework for the analysis and comparison of decision sets centered on the notion of decision reduction. In particular, we introduce the notion of safe reduction, which ensures that a reduction can be performed at any level of policy composition without changing the final decision. We demonstrate the framework by analyzing XACML v3 against the notion of safe reduction. From this analysis, we draw guidelines for the selection of the minimal decision set with respect to a given set of combining operators. Keywords: Policy evaluation, access decision, XACML, formal analysis
Originele taal-2Engels
Titel19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014, London ON, Canada, June 25-27, 2014)
Plaats van productieNew York NY
UitgeverijAssociation for Computing Machinery, Inc
ISBN van geprinte versie78-1-4503-2939-2
StatusGepubliceerd - 2014
Evenement19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014) - London, Canada
Duur: 25 jun 201427 jun 2014
Congresnummer: 19


Congres19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014)
Verkorte titelSACMAT 2014
Ander19th ACM Symposium on Access Control Models and Technologies

Vingerafdruk Duik in de onderzoeksthema's van 'Reduction of access control decisions'. Samen vormen ze een unieke vingerafdruk.

Citeer dit