JACPoL: A Simple but Expressive JSON-Based Access Control Policy Language

  • Hao Jiang
  • Ahmed BouabdallahEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10741)


Along with the rapid development of ICT technologies, new areas like Industry 4.0, IoT and 5G have emerged and brought out the need for protecting shared resources and services under time-critical and energy-constrained scenarios with real-time policy-based access control. The process of policy evaluation under these circumstances must be executed within an unobservable delay and strictly comply with security objectives. To achieve this, the policy language needs to be very expressive but lightweight and efficient. Many existing implementations are using XML (Extensible Markup Language) to encode policies, which is verbose, inefficient to parse, and not readable by humans. On the contrary, JSON (JavaScript Object Notation) is a lightweight, text-based and language-independent data-interchange format that is simple for humans to read and write and easy for machines to parse and generate. Several attempts have emerged to convert existing XML policies and requests into JSON, however, there are very few policy specification proposals that are based on JSON with well-defined syntax and semantics. This paper investigates these challenges, and identifies a set of key requirements for a policy language to optimize the policy evaluation performance. According to these performance requirements, we introduce JACPoL, a descriptive, scalable and expressive policy language in JSON. JACPoL by design provides a flexible and fine-grained ABAC (Attribute-based Access Control), and meanwhile it can be easily tailored to express a broad range of other access control models. This paper systematically illustrates the design and implementation of JACPoL and evaluates it in comparison with other existing policy languages. The result shows that JACPoL can be as expressive as existing ones but more simple, scalable and efficient.


Real-time access control Lightweight policy language JSON Fast policy evaluation 



This work has received funding from the European Union’s Horizon 2020 research and innovation programme under the grant agreement No. 645342, project reTHINK. We gratefully acknowledge support from our colleagues in this project, Jamal Boulmal (Apizee), Jean-Michel Crom and Simon Becot (Orange Labs). This work would hardly be possible without their valuable suggestions and help.


  1. 1.
    Yavatkar, R., Pendarakis, D., Guerin, R.: A Framework for Policy-Based Admission Control. IETF, RFC 2753, January 2000Google Scholar
  2. 2.
    Borders, K., Zhao, X., Prakash, A.: CPOL: high-performance policy evaluation. In: The 12th ACM Conference on Computer and Communications Security. ACM (2005)Google Scholar
  3. 3.
    reTHINK Project Testbed: Deliverable D6.1: Testbed Specification (2016). Accessed 17 May 2017
  4. 4.
    He, L., Qiu, X., Wang, Y., Gao, T.: Design of policy language expression in SIoT. In: Wireless and Optical Communication Conference, pp. 321–326. IEEE (2013)Google Scholar
  5. 5.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lupu, E.C., Lobo, J. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001). Scholar
  6. 6.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research, March 2003Google Scholar
  7. 7.
    Bhatti, R., Ghafoor, A., Bertino, E., Joshi, J.B.: X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 8(2), 187–227 (2005)CrossRefGoogle Scholar
  8. 8.
    OASIS XACML Technical Committee: eXtensible access control markup language (XACML) Version 3.0. Oasis Standard, OASIS (2013). Accessed 17 May 2017
  9. 9.
    Crampton, J., Morisset, C.: PTaCL: a language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012). Scholar
  10. 10.
    Crockford, D.: JSON – The fat-free alternative to XML, vol. 2006. Accessed 17 May 2017
  11. 11.
    El-Aziz, A.A., Kannan, A.: JSON encryption. In: 2014 International Conference on Computer Communication and Informatics (ICCCI). IEEE (2014)Google Scholar
  12. 12.
    Griffin, L., Butler, B., de Leastar, E., Jennings, B., Botvich, D.: On the performance of access control policy evaluation. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 25–32. IEEE (2012)Google Scholar
  13. 13.
    W3schools: JSON vs XML. Accessed 24 May 2017
  14. 14.
    Ferraiolo, D.F., Kuhn, D.R.: Role-based Access Controls. arXiv preprint arXiv: 0903.2171, 12 March 2009
  15. 15.
    Hu, V.C., Ferraiolo, D., Kuhn, R., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800.162 (2013)Google Scholar
  16. 16.
    Empower ID: Best practices in enterprise authorization: The RBAC/ABAC hybrid approach. Empower ID, White paper (2013)Google Scholar
  17. 17.
    Coyne, E., Weil, T.R.: ABAC and RBAC: scalable, flexible, and auditable access management. IT Prof. 15(3), 0014–16 (2013)CrossRefGoogle Scholar
  18. 18.
    David, B.: JSON Profile of XACML 3.0 Version 1.0. XACML Committee Specification 01, 11 December 2014. Accessed 26 May 2017
  19. 19.
    Steven, D., Bernard, B., Leigh, G.: JSON-encoded ABAC (XACML) policies. FAME project of Waterford Institute of Technology. Presentation to OASIS XACML TC concerning JSON-encoded XACML policies, 30 May 2013Google Scholar
  20. 20.
    Amazon Web Services: AWS Identity and Access Management (IAM) User Guide. Accessed 27 May 2017
  21. 21.
    ECMA International: ECMA-404 The JSON Data Interchange Standard. Accessed 27 May 2017
  22. 22.
    Ferraiolo, D., et al.: Extensible access control markup language (XACML) and next generation access control (NGAC). In: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control. ACM (2016)Google Scholar
  23. 23.
    reTHINK Project. Accessed 27 May 2017
  24. 24.
  25. 25.
    reTHINK Deliverable 6.4: Assessment Report, reTHINK H2020 ProjectGoogle Scholar
  26. 26.
    Obrsta, L., McCandlessb, D., Ferrella, D.: Fast semantic attribute-role-based access control (ARBAC) in a collaborative environment. In: 2012 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Pittsburgh, PA, USA, 14–17 October 2012Google Scholar
  27. 27.
    Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84–96. Springer, Heidelberg (2012). Scholar
  28. 28.
    Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 43(6), 79–81 (2010)CrossRefGoogle Scholar
  29. 29.
    Kagal, L., Finin, T., Joshi, A.: A policy language for a pervasive computing environment. In: IEEE 4th International Workshop on Proceedings of Policies for Distributed Systems and Networks, POLICY 2003. IEEE (2003)Google Scholar
  30. 30.
    Hada, S., Kudo, M.: XML Access Control Language: provisional authorization for XML documents (2000)Google Scholar
  31. 31.
    Uszok, A., Bradshaw, J.M., Jeffers, R.: KAoS: a policy and domain services framework for grid computing and semantic web services. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 16–26. Springer, Heidelberg (2004). Scholar
  32. 32.
    Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: Proceedings of IEEE Symposium on Security and Privacy. IEEE (1997)Google Scholar
  33. 33.
    Neuhaus, C., Polze, A., Chowdhuryy, M.M.: Survey on healthcare IT systems: standards, regulations and security. No. 45. Universitätsverlag Potsdam (2011)Google Scholar
  34. 34.
    Jiang, H., Bouabdallah, A.: Towards A JSON-Based Fast Policy Evaluation Framework. Work in progressGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.IMT AtlantiqueCesson-SevigneFrance

Personalised recommendations