Skip to main content
SpringerLink
Log in

JACPoL: A Simple but Expressive JSON-Based Access Control Policy Language

  • Conference paper
  • First Online:
Information Security Theory and Practice (WISTP 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10741))

Abstract

Along with the rapid development of ICT technologies, new areas like Industry 4.0, IoT and 5G have emerged and brought out the need for protecting shared resources and services under time-critical and energy-constrained scenarios with real-time policy-based access control. The process of policy evaluation under these circumstances must be executed within an unobservable delay and strictly comply with security objectives. To achieve this, the policy language needs to be very expressive but lightweight and efficient. Many existing implementations are using XML (Extensible Markup Language) to encode policies, which is verbose, inefficient to parse, and not readable by humans. On the contrary, JSON (JavaScript Object Notation) is a lightweight, text-based and language-independent data-interchange format that is simple for humans to read and write and easy for machines to parse and generate. Several attempts have emerged to convert existing XML policies and requests into JSON, however, there are very few policy specification proposals that are based on JSON with well-defined syntax and semantics. This paper investigates these challenges, and identifies a set of key requirements for a policy language to optimize the policy evaluation performance. According to these performance requirements, we introduce JACPoL, a descriptive, scalable and expressive policy language in JSON. JACPoL by design provides a flexible and fine-grained ABAC (Attribute-based Access Control), and meanwhile it can be easily tailored to express a broad range of other access control models. This paper systematically illustrates the design and implementation of JACPoL and evaluates it in comparison with other existing policy languages. The result shows that JACPoL can be as expressive as existing ones but more simple, scalable and efficient.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    nodejs.org.

  2. 2.

    redis.io.

References

  1. Yavatkar, R., Pendarakis, D., Guerin, R.: A Framework for Policy-Based Admission Control. IETF, RFC 2753, January 2000

    Google Scholar 

  2. Borders, K., Zhao, X., Prakash, A.: CPOL: high-performance policy evaluation. In: The 12th ACM Conference on Computer and Communications Security. ACM (2005)

    Google Scholar 

  3. reTHINK Project Testbed: Deliverable D6.1: Testbed Specification (2016). https://bscw.rethink-project.eu/pub/bscw.cgi/d35657/D6.1%20Testbed%20specific-ation.pdf. Accessed 17 May 2017

  4. He, L., Qiu, X., Wang, Y., Gao, T.: Design of policy language expression in SIoT. In: Wireless and Optical Communication Conference, pp. 321–326. IEEE (2013)

    Google Scholar 

  5. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lupu, E.C., Lobo, J. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44569-2_2

    Chapter  MATH  Google Scholar 

  6. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research, March 2003

    Google Scholar 

  7. Bhatti, R., Ghafoor, A., Bertino, E., Joshi, J.B.: X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 8(2), 187–227 (2005)

    Article  Google Scholar 

  8. OASIS XACML Technical Committee: eXtensible access control markup language (XACML) Version 3.0. Oasis Standard, OASIS (2013). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html. Accessed 17 May 2017

  9. Crampton, J., Morisset, C.: PTaCL: a language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4_21

    Chapter  Google Scholar 

  10. Crockford, D.: JSON – The fat-free alternative to XML, vol. 2006. http://www.json.org/fatfree.html. Accessed 17 May 2017

  11. El-Aziz, A.A., Kannan, A.: JSON encryption. In: 2014 International Conference on Computer Communication and Informatics (ICCCI). IEEE (2014)

    Google Scholar 

  12. Griffin, L., Butler, B., de Leastar, E., Jennings, B., Botvich, D.: On the performance of access control policy evaluation. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 25–32. IEEE (2012)

    Google Scholar 

  13. W3schools: JSON vs XML. www.w3schools.com/js/js_json_xml.asp. Accessed 24 May 2017

  14. Ferraiolo, D.F., Kuhn, D.R.: Role-based Access Controls. arXiv preprint arXiv: 0903.2171, 12 March 2009

  15. Hu, V.C., Ferraiolo, D., Kuhn, R., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800.162 (2013)

    Google Scholar 

  16. Empower ID: Best practices in enterprise authorization: The RBAC/ABAC hybrid approach. Empower ID, White paper (2013)

    Google Scholar 

  17. Coyne, E., Weil, T.R.: ABAC and RBAC: scalable, flexible, and auditable access management. IT Prof. 15(3), 0014–16 (2013)

    Article  Google Scholar 

  18. David, B.: JSON Profile of XACML 3.0 Version 1.0. XACML Committee Specification 01, 11 December 2014. http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/cs01/xacml-json-http-v1.0-cs01.pdf. Accessed 26 May 2017

  19. Steven, D., Bernard, B., Leigh, G.: JSON-encoded ABAC (XACML) policies. FAME project of Waterford Institute of Technology. Presentation to OASIS XACML TC concerning JSON-encoded XACML policies, 30 May 2013

    Google Scholar 

  20. Amazon Web Services: AWS Identity and Access Management (IAM) User Guide. http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html. Accessed 27 May 2017

  21. ECMA International: ECMA-404 The JSON Data Interchange Standard. http://www.json.org/. Accessed 27 May 2017

  22. Ferraiolo, D., et al.: Extensible access control markup language (XACML) and next generation access control (NGAC). In: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control. ACM (2016)

    Google Scholar 

  23. reTHINK Project. github.com/reTHINK-project/. Accessed 27 May 2017

  24. reTHINK CSP Policy Engine. github.com/reTHINK-project/dev-msg-node-nodejs/tree/master/src/main/components/policyEngine. Accessed 27 May 2017

  25. reTHINK Deliverable 6.4: Assessment Report, reTHINK H2020 Project

    Google Scholar 

  26. Obrsta, L., McCandlessb, D., Ferrella, D.: Fast semantic attribute-role-based access control (ARBAC) in a collaborative environment. In: 2012 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Pittsburgh, PA, USA, 14–17 October 2012

    Google Scholar 

  27. Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84–96. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33704-8_8

    Chapter  Google Scholar 

  28. Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 43(6), 79–81 (2010)

    Article  Google Scholar 

  29. Kagal, L., Finin, T., Joshi, A.: A policy language for a pervasive computing environment. In: IEEE 4th International Workshop on Proceedings of Policies for Distributed Systems and Networks, POLICY 2003. IEEE (2003)

    Google Scholar 

  30. Hada, S., Kudo, M.: XML Access Control Language: provisional authorization for XML documents (2000)

    Google Scholar 

  31. Uszok, A., Bradshaw, J.M., Jeffers, R.: KAoS: a policy and domain services framework for grid computing and semantic web services. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 16–26. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24747-0_2

    Chapter  Google Scholar 

  32. Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: Proceedings of IEEE Symposium on Security and Privacy. IEEE (1997)

    Google Scholar 

  33. Neuhaus, C., Polze, A., Chowdhuryy, M.M.: Survey on healthcare IT systems: standards, regulations and security. No. 45. Universitätsverlag Potsdam (2011)

    Google Scholar 

  34. Jiang, H., Bouabdallah, A.: Towards A JSON-Based Fast Policy Evaluation Framework. Work in progress

    Google Scholar 

Download references

Acknowledgement

This work has received funding from the European Union’s Horizon 2020 research and innovation programme under the grant agreement No. 645342, project reTHINK. We gratefully acknowledge support from our colleagues in this project, Jamal Boulmal (Apizee), Jean-Michel Crom and Simon Becot (Orange Labs). This work would hardly be possible without their valuable suggestions and help.

Author information

Authors and Affiliations

  1. IMT Atlantique, Site of Rennes, 35510, Cesson-Sevigne, France

    Hao Jiang & Ahmed Bouabdallah

Authors
  1. Hao Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmed Bouabdallah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmed Bouabdallah .

Editor information

Editors and Affiliations

  1. City University of Hong Kong, Hong Kong, China

    Gerhard P. Hancke

  2. University of Milan, Milan, Italy

    Ernesto Damiani

Rights and permissions

Reprints and permissions

Copyright information

© 2018 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jiang, H., Bouabdallah, A. (2018). JACPoL: A Simple but Expressive JSON-Based Access Control Policy Language. In: Hancke, G., Damiani, E. (eds) Information Security Theory and Practice. WISTP 2017. Lecture Notes in Computer Science(), vol 10741. Springer, Cham. https://doi.org/10.1007/978-3-319-93524-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93524-9_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93523-2

  • Online ISBN: 978-3-319-93524-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation