Skip to main content
SpringerLink
Log in

Idea: Efficient Evaluation of Access Control Constraints

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5965))

Included in the following conference series:

Abstract

Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.

In distributed systems, e. g., based on the service-oriented architecture (soa), the time for evaluating access control constraints depends significantly on the protocol between the central Policy Decision Point (pdp) and the distributed Policy Enforcement Points (peps).

In this paper, we present a policy-driven approach for generating customized protocol for the communication between the pdp and the peps. We provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, A.H.: A comparison of two privacy policy languages: epal and xacml. In: ACM workshop on Secure Web services (SWS), pp. 53–60. ACM Press, New York (2006)

    Chapter  Google Scholar 

  2. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (epal 1.2). Tech. rep., ibm (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal

  3. Basel Committee on Banking Supervision: Basel II: International convergence of capital measurement and capital standards. Tech. rep., Bank for International Settlements, Basel, Switzerland (2004), http://www.bis.org/publ/bcbsca.htm

  4. Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. acm Transactions on Software Engineering and Methodology 15(1), 39–91 (2006)

    Article  Google Scholar 

  5. Brucker, A.D., Doser, J., Wolff, B.: An mda framework supporting ocl. Electronic Communications of the easst 5 (2006)

    Google Scholar 

  6. Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: permis: a modular authorization infrastructure. Concurrency and Computation: Practice & Experience 20(11), 1341–1357 (2008)

    Article  Google Scholar 

  7. Chen, H., Li, N.: Constraint generation for separation of duty. In: acm symposium on access control models and technologies (sacmat), pp. 130–138. ACM Press, New York (2006)

    Google Scholar 

  8. Crampton, J., Leung, W., Beznosov, K.: The secondary and approximate authorization model and its application to Bell-LaPadula policies. In: acm symposium on access control models and technologies (sacmat), pp. 111–120. ACM Press, New York (2006)

    Google Scholar 

  9. Kapsalis, V., Hadellis, L., Karelis, D., Koubias, S.: A dynamic context-aware access control architecture for e-services. Computers & Security 25(7), 507–521 (2006)

    Article  Google Scholar 

  10. Karjoth, G.: Access control with ibm Tivoli access manager. acm Transactions on Information and System Security 6(2), 232–257 (2003)

    Article  Google Scholar 

  11. Kohler, M., Brucker, A.D., Schaad, A.: ProActive Caching: Generating caching heuristics for business process environments. In: Conference on Computational Science and Engineering (cse), vol. 3, pp. 207–304. IEEE Computer Society, Los Alamitos (2009)

    Google Scholar 

  12. Kohler, M., Schaad, A.: Pro active access control for business process-driven environments. In: Annual Computer Security Applications Conference (acsac) (2008)

    Google Scholar 

  13. Liu, A.X., Chen, F., Hwang, J., Xie, T.: XEngine: A fast and scalable xacml policy evaluation engine. In: Conference on Measurement and Modeling of Computer Systems, Sigmetrics (2008)

    Google Scholar 

  14. Miseldine, P.L.: Automated xacml policy reconfiguration for evaluation optimisation. In: Software engineering for secure systems (sess), pp. 1–8. ACM Press, New York (2008)

    Google Scholar 

  15. OASIS: eXtensible Access Control Markup Language (xacml) 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip

  16. Sarbanes, P., Oxley, G., et al.: Sarbanes-Oxley Act of 2002. 107th Congress Report, House of Representatives, pp. 107–610 (2002)

    Google Scholar 

  17. Schaad, A., Spadone, P., Weichsel, H.: A case study of separation of duty properties in the context of the Austrian “eLaw” process. In: acm symposium on applied computing (SAC), pp. 1328–1332. ACM Press, New York (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SAP Research, Vincenz-Priessnitz-Str. 1, 76131, Karlsruhe, Germany

    Achim D. Brucker & Helmut Petritsch

Authors
  1. Achim D. Brucker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Helmut Petritsch
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Via Sommarive 14, 38050, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, Rice University, 3122 Duncan Hall, 6100 Main Street, TX 77005, Houston, USA

    Dan Wallach

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612, Eindhoven, AZ, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Brucker, A.D., Petritsch, H. (2010). Idea: Efficient Evaluation of Access Control Constraints. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11747-3_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11746-6

  • Online ISBN: 978-3-642-11747-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation