Abstract
Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. Access control plays an important role in overall system security. The development of an access control system requires the definition of the regulations (policies) according to which access is to be controlled and their implementation as functions executable by a computer system. The access control policies are usually formalized through a security model, stated through an appropriate specification language, and then enforced by the access control mechanism enforcing the access control service. The separation between policies and mechanisms introduces an independence between protection requirements to be enforced on the one side, and mechanisms enforcing them on the other. It is then possible to: i) discuss protection requirements independently of their implementation, ii) compare different access control policies as well as different mechanisms that enforce the same policy, and iii) design mechanisms able to enforce multiple policies. This latter aspect is particularly important: if a mechanism is tied to a specific policy, a change in the policy would require changing the whole access control system; mechanisms able to enforce multiple policies avoid this drawback. The formalization phase between the policy definition and its implementation as a mechanism allows the definition of a formal model representing the policy and its working, making it possible to define and prove security properties that systems enforcing the model will enjoy [30].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi M, Lamport L (1992). Composing specifications. ACM Transactions on Programming Languages, 14(4):1–60.
Ardagna CA, Damiani E, De Capitani di Vimercati S, Samarati P (2004). XML-based access control languages. Information Security Technical Report.
Atkinson B, Delia Libera GD, et al. (2002). Web services security (WS-Security). http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp.
Bell D (1994). Modeling the multipolicy machine. In Proc. of the New Security Paradigm Workshop, Little Compton, Rhode Island, USA.
Bertino E, Bettini C, Ferrari E, Samarati P (1998). An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231–285.
Bertino E, Bonatti P, Ferrari E (2001). TRBAC: a temporal role-based access control method. ACM Transactions on Information and System Security, 4(3): 191–223.
Bertino E, Jajodia S, Samarati P (1999). A flexible authorization mechanism for relational data management systems. ACM Transactions on Information Systems, 17(2):101–140.
Blaze M, Feigenbaum J, Lacy J (1996). Decentralized trust management. In Proc. of the 1996 IEEE Symposiumon Security and Privacy, Oakland, CA, USA.
Bonatti P, De Capitani di Vimercati S, Samarati P (2002). An algebra for composing access control policies. ACM Transactions on Information and System Security, 5(1): 1–35.
Bonatti P, Samarati P (2002). A unified framework for regulating access and information release on the web. Journal of Computer Security, 10(3):241–272.
Box D, et al. (2003). Web services policy assertions language (WS-PolicyAssertions) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policyassertions.asp.
Box D, et al. (2003). Web Services Policy Attachment (WS-PolicyAttachment) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policyattachment.asp.
Box D, et al. (2003). Web services policy framework (WS-Policy) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policy.asp.
Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P (2000). Securing XML documents. In Proc. of the 2000 International Conference on Extending Database Technology (EDBT2000), Konstanz, Germany.
Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P (2002). A fine-grained access control system for XML documents. ACM Transactions on Information and System Security, 5(2): 169–202.
DeTreville J (2002). Binder, a logic-based security language. In Proc. of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA.
eXtensible Access Control Markup Language (XACML) Version 2.0 (2004). eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS. http://www.oasis-open.org/committees/xacml.
Farrell S, Housley R (2002). An internet attribute certificate profile for authorization. RFC 3281.
Ferraiolo D, Kuhn R (1992). Role-based access controls. In Proc. of the 15th NIST-NSA National Computer Security Conference, Baltimore, Maryland.
Gabillon A (2004). An authorization model for XML databases. In Proc. of the ACM Workshop Secure Web Services, George Mason University, Fairfax, VA, USA.
Gabillon A, Bruno E (2001). Regulating access to XML documents. In Proc. of the Fifteenth Annual IFIP WG 11.3 Working Conference on Database Security, Niagara on the Lake, Ontario, Canada.
Gelfond M, Lifschitz V (1988). The stable model semantics for logic programming. In Proc. of the 5th International Conference and Symposium on Logic Programming, Cambridge, Massachusetts.
Gladman B, Ellison C, Bohm N (1999). Digital signatures, certificates and electronic commerce, http://jya.com/bg/digsig.pdf.
Hosmer H (1992). Metapolicies II. In Proc. of the 15th National Computer Security Conference, Baltimore, MD.
Jaeger T (2001). Access control in configurable systems. Lecture Notes in Computer Science, 1603:289–316.
Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001). Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(2):214–260.
Jajodia S, Samarati P, Subrahmanian VS, Bertino E (1997). A unified framework for enforcing multiple access control policies. In Proc. of the 1997 ACM International SIG-MOD Conference on Management of Data, Tucson, AZ.
Jim T (2001). Sd3: A trust management system with certified evaluation. In Proc. of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA.
Kudoh M, Hirayama Y, Hada S, Vollschwitz A (2000). Access control specification based on policy evaluation and enforcement model and specification language. In Symposium on Cryptograpy and Information Security (SCIS’2000), Japan.
Landwehr CF (1981). Formal models for computer security. ACM Computing Surveys, 13(3):247–278.
Li N, Feigenbaum J, Grosof B (1999). A logic-based knowledge representation for authorization with delegation. In Proc. of the 12th IEEE Computer Security Foundations Workshop, Washington, DC, USA.
Li N, Grosof B, Feigenbaum J (2003). Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security, 6(1): 128–171.
Li N, Mitchell JC (2003). Datalog with constraints: A foundation for trust-management languages. In Proc. of the Fifth International Symposium on Practical Aspects of Declarative Languages (PADL 2003), New Orleans, LA, USA.
Li N, Mitchell JC, Winsborough WH (2002). Design of a role-based trust-management framework. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, USA.
McLean J (1988). The algebra of security. In Proc. of the 1988 IEEE Computer Society Symposium on Security and Privacy, Oakland, CA, USA.
Ryutov T, Zhou L, Neuman C, Leithead T, Seamons KE (2005). Adaptive trust negotiation and access control. In Proc. of the 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden.
Samarati P, De Capitani di Vimercati S (2001). Access control: Policies, models, and mechanisms. In Focardi R, Gorrieri R, editors, Foundations of Security Analysis and Design, LNCS 2171. Springer-Verlag.
Seamons KE, Winsborough W, Winslett M (1997). Internet credential acceptance policies. In Proc. of the Workshop on Logic Programming for Internet Applications, Leuven, Belgium.
Security Assertion Markup Language (SAML) V1.1 (2003). Security Assertion Markup Language (SAML) V1.1. OASIS. http://www.oasis-open.org/committees/security/.
Sterling L, Shapiro E (1997). The art of Prolog. MIT Press, Cambridge, MA.
Subrahmanian V, Adali S, Brink A, Lu J, Rajput A, Rogers T, Ross R, Ward C. Hermes: heterogeneous reasoning and mediator system. http://www.cs.umd.edu/projects/hermes.
The XACML Profile for Hierarchical Resources (2004). The XACML Profile for Hierarchical Resources. OASIS. http://www.oasis-3893open.org/committees/xacml.
van der Horst TW, Sundelin T, Seamons KE, Knutson CD (2004). Mobile trust negotiation: Authentication and authorization in dynamic mobile networks. In Proc. of the Eighth IFIP Conference on Communications and Multimedia Security, Lake Windermere, England.
Web services security policy (WS-SecurityPolicy) (2002). Web services security policy (WS-SecurityPolicy). http://www-106.ibm.com/developerworks/library/ws-secpol/.
Wijesekera D, Jajodia S (2003). A propositional policy algebra for access control. ACM Transactions on Information and System Security, 6(2):286–325.
Winsborough W, Seamons KE, Jones V (2000). Automated trust negotiation. In Proc. of the DARPA Information Survivability Conf. & Exposition, Hilton Head Island, SC, USA.
Winslett M, Ching N, Jones V, Slepchin I (1997). Assuring security and privacy for digital library transactions on the web: Client and server security policies. In Proc. of the ADL’ 97 — Forum on Research and Tech. Advances in Digital Libraries, Washington, DC.
Woo TYC, Lam SS (1993). Authorizations in distributed systems: A new approach. Journal of Computer Security, 2(2,3):107–136.
World Wide Web Consortium (W3C) (2004). eXtensible Markup Language (XML) 1.0 (Third Edition). World Wide Web Consortium (W3C). http://www.w3.org/TR/REC-xml.
Yu T, Ma X, Winslett M (2000). An efficient complete strategy for automated trust negotiation over the Internet. In Proc. of the 7th ACM Computer and Communication Security, Athens, Greece.
Yu T, Winslett M (2003). A unified scheme for resource protection in automated trust negotiation. In Proc. of the IEEE Symposium on Security and Privacy, Berkeley, California.
Yu T, Winslett M, Seamons KE (2001). Interoperable strategies in automated trust negotiation. In Proc. of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania.
Yu T, Winslett M, Seamons KE (2003). Supporting structured credentials and sensitive policies trough interoperable strategies for automated trust. ACM Transactions on Information and System Security, 6(1): 1–42.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P. (2007). Access Control Policies and Languages in Open Environments. In: Yu, T., Jajodia, S. (eds) Secure Data Management in Decentralized Systems. Advances in Information Security, vol 33. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-27696-0_2
Download citation
DOI: https://doi.org/10.1007/978-0-387-27696-0_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-27694-6
Online ISBN: 978-0-387-27696-0
eBook Packages: Computer ScienceComputer Science (R0)