Skip to main content

Developing and Enforcing Policies for Access Control, Resource Usage, and Adaptation

– A Practical Approach –

  • Conference paper
  • First Online:
Web Services and Formal Methods (WS-FM 2013)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8379))

Included in the following conference series:

Abstract

Policy-based software architectures are nowadays widely exploited to regulate different aspects of systems’ behavior, such as access control, resource usage, and adaptation. Several languages and technologies have been proposed as, e.g., the standard XACML. However, developing real-world systems using such approaches is still a tricky task, being them complex and error-prone. To overcome such difficulties, we advocate the use of FACPL, a formal policy language inspired to but simpler than XACML. FACPL has an intuitive syntax, a mathematical semantics and easy-to-use software tools supporting policy development and enforcement. We illustrate potentialities and effectiveness of our approach through a case study from the Cloud computing domain.

This work has been partially sponsored by the EU project ASCENS (257414) and by the Italian MIUR project CINA, PRIN 2010–2011.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The algorithm deny-biased states: if the decision is permit and all obligations are successfully discharged, then the PEP grants access, otherwise it forbids access.

  2. 2.

    The algorithm permit-overrides states: if any policy among the considered ones evaluates to permit, then the decision is permit; otherwise, if all policies are found to be not-applicable, then the decision is not-applicable; in the remaining cases, the decision is deny or indeterminate according to specific error situations (see [7]).

References

  1. NIST: a survey of access control models (2009). http://csrc.nist.gov/news_events/privilege-management-workshop/PvM-Model-Survey-Aug26-2009.pdf

  2. OASIS XACML TC: eXtensible Access Control Markup Language (XACML) version 3.0 - Candidate OASIS Standard, September 2012

    Google Scholar 

  3. The epSOS project: a european ehealth project. http://www.epsos.eu

  4. The Nationwide Health Information Network (NHIN): an American eHealth Project (2009). http://healthit.hhs.gov/portal/server.pt

  5. OASIS: Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0 (2009)

    Google Scholar 

  6. OASIS Security Services TC: assertions and protocols for the OASIS security assertion markup language (SAML) v2.02 (2005)

    Google Scholar 

  7. Margheri, A., Masi, M., Pugliese, R., Tiezzi, F.: A formal software engineering approach to policy-based access control. Technical report, DiSIA, Univ. Firenze (2013). http://rap.dsi.unifi.it/facpl/research/Facpl-TR.pdf

  8. Mell, P., Grance, T.: The NIST Definition of Cloud Computing. NIST Special Publication 800–145 (2011)

    Google Scholar 

  9. Verma, D.C.: Service level agreements on IP networks. Proc. IEEE 92(9), 1382–1388 (2004)

    Article  Google Scholar 

  10. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: The X-CREATE framework - a comparison of XACML policy testing strategies. In: WEBIST. SciTePress, pp. 155–160 (2012)

    Google Scholar 

  11. Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and implementation of the XACML access control mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  12. Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards model-driven development of access control policies for web applications. In: MDsec. ACM (2012)

    Google Scholar 

  13. Margheri, A., Masi, M., Pugliese, R., Tiezzi, F.: On a formal and user-friendly linguistic approach to access control of electronic health data. In: HEALTHINF. SciTePress (2013)

    Google Scholar 

  14. Khakpour, N., Jalili, S., Talcott, C.L., Sirjani, M., Mousavi, M.R.: Formal modeling of evolving self-adaptive systems. Sci. Comput. Program. 78(1), 3–26 (2012)

    Article  MATH  Google Scholar 

  15. IBM: autonomic computing policy language - ACPL. http://www.ibm.com/developerworks/tivoli/tutorials/ac-spl/

  16. Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  17. Sloman, M.: Policy driven management for distributed systems. J. Netw. Syst. Manage. 2(4), 333–360 (1994)

    Article  Google Scholar 

  18. Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686. ACM (2007)

    Google Scholar 

  19. Bryans, J.: Reasoning about XACML policies using CSP. In: SWS, pp. 28–35. ACM (2005)

    Google Scholar 

  20. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)

    Google Scholar 

  21. Proctor, S.: SUN XACML (2011). http://sunxacml.sf.net

  22. The Herasaf consortium \(\rm HERAS^{AF}\). http://www.herasaf.org

  23. Axiomatics: Axiomatics Language for Authorization (ALFA). http://www.axiomatics.com/axiomatics-alfa-plugin-for-eclipse.html

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Andrea Margheri .

Editor information

Editors and Affiliations

Appendix

Appendix

We report in this appendix the complete FACPL policies in force in the Cloud IaaS scenario. Specifically, the policies in Listing 1.1 aim at concentrating the workload on hypervisor HYPER_1, considered as the primary hypervisor, and using hypervisor HYPER_2 only when the other is fully loaded. A rationale underlying this policy can be, e.g., to save energy by keeping the secondary hypervisor in stand-by mode until its use becomes necessary. The policies in Listing 1.2, instead, aim at balancing the workload between the two hypervisors.

figure i
figure j

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Science and Engineering Faculty

About this paper

Cite this paper

Margheri, A., Masi, M., Pugliese, R., Tiezzi, F. (2014). Developing and Enforcing Policies for Access Control, Resource Usage, and Adaptation. In: Tuosto, E., Ouyang, C. (eds) Web Services and Formal Methods. WS-FM 2013. Lecture Notes in Computer Science(), vol 8379. Springer, Cham. https://doi.org/10.1007/978-3-319-08260-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08260-8_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08259-2

  • Online ISBN: 978-3-319-08260-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics