Idea: Efficient Evaluation of Access Control Constraints

  • Achim D. Brucker
  • Helmut Petritsch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5965)


Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.

In distributed systems, e. g., based on the service-oriented architecture (soa), the time for evaluating access control constraints depends significantly on the protocol between the central Policy Decision Point (pdp) and the distributed Policy Enforcement Points (peps).

In this paper, we present a policy-driven approach for generating customized protocol for the communication between the pdp and the peps. We provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.


distributed policy enforcement xacml access control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, A.H.: A comparison of two privacy policy languages: epal and xacml. In: ACM workshop on Secure Web services (SWS), pp. 53–60. ACM Press, New York (2006)CrossRefGoogle Scholar
  2. 2.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (epal 1.2). Tech. rep., ibm (2003),
  3. 3.
    Basel Committee on Banking Supervision: Basel II: International convergence of capital measurement and capital standards. Tech. rep., Bank for International Settlements, Basel, Switzerland (2004),
  4. 4.
    Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. acm Transactions on Software Engineering and Methodology 15(1), 39–91 (2006)CrossRefGoogle Scholar
  5. 5.
    Brucker, A.D., Doser, J., Wolff, B.: An mda framework supporting ocl. Electronic Communications of the easst 5 (2006)Google Scholar
  6. 6.
    Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: permis: a modular authorization infrastructure. Concurrency and Computation: Practice & Experience 20(11), 1341–1357 (2008)CrossRefGoogle Scholar
  7. 7.
    Chen, H., Li, N.: Constraint generation for separation of duty. In: acm symposium on access control models and technologies (sacmat), pp. 130–138. ACM Press, New York (2006)Google Scholar
  8. 8.
    Crampton, J., Leung, W., Beznosov, K.: The secondary and approximate authorization model and its application to Bell-LaPadula policies. In: acm symposium on access control models and technologies (sacmat), pp. 111–120. ACM Press, New York (2006)Google Scholar
  9. 9.
    Kapsalis, V., Hadellis, L., Karelis, D., Koubias, S.: A dynamic context-aware access control architecture for e-services. Computers & Security 25(7), 507–521 (2006)CrossRefGoogle Scholar
  10. 10.
    Karjoth, G.: Access control with ibm Tivoli access manager. acm Transactions on Information and System Security 6(2), 232–257 (2003)CrossRefGoogle Scholar
  11. 11.
    Kohler, M., Brucker, A.D., Schaad, A.: ProActive Caching: Generating caching heuristics for business process environments. In: Conference on Computational Science and Engineering (cse), vol. 3, pp. 207–304. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  12. 12.
    Kohler, M., Schaad, A.: Pro active access control for business process-driven environments. In: Annual Computer Security Applications Conference (acsac) (2008)Google Scholar
  13. 13.
    Liu, A.X., Chen, F., Hwang, J., Xie, T.: XEngine: A fast and scalable xacml policy evaluation engine. In: Conference on Measurement and Modeling of Computer Systems, Sigmetrics (2008)Google Scholar
  14. 14.
    Miseldine, P.L.: Automated xacml policy reconfiguration for evaluation optimisation. In: Software engineering for secure systems (sess), pp. 1–8. ACM Press, New York (2008)Google Scholar
  15. 15.
    OASIS: eXtensible Access Control Markup Language (xacml) 2.0 (2005),
  16. 16.
    Sarbanes, P., Oxley, G., et al.: Sarbanes-Oxley Act of 2002. 107th Congress Report, House of Representatives, pp. 107–610 (2002)Google Scholar
  17. 17.
    Schaad, A., Spadone, P., Weichsel, H.: A case study of separation of duty properties in the context of the Austrian “eLaw” process. In: acm symposium on applied computing (SAC), pp. 1328–1332. ACM Press, New York (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Achim D. Brucker
    • 1
  • Helmut Petritsch
    • 1
  1. 1.SAP ResearchKarlsruheGermany

Personalised recommendations