An Attributes-Based Access Control Architecture within Large-Scale Device Collaboration Systems Using XACML

  • Feng Liang
  • Haoming Guo
  • Shengwei Yi
  • Xiaoqiang Zhang
  • Shilong Ma
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 113)


Containing multiple domains and a large number of heterogeneous distributed devices, large-scale device collaboration systems require a fine-grained, flexible and secure mechanism for device access control. This chapter presents and evaluates a distributed device access control architecture Multiple Policies supported Attribute-Based Access Control (MPABAC) to support device authentication and authorization among multiple domains. Based on eXtensible Access Control Markup Language (XACML) standard and Attribute-Based Access Control (ABAC) model, this architecture supports cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show that the performance of this implementation is acceptable within the production environment.


Large-scale device collaboration system Hierarchical policy decision point Multiple policies attributed-based access control 



This research work was supported by both the self-conducted exploratory research program “Green Lighting in Internet of Things “ from State Key Laboratory for Software Development Environment in China (No. SKLSDE-2010ZX-06) and the Special Program for Seism-Scientific Research in Public Interest “Research in Online Processing Technologies for Seismological Precursory Network Dynamic Monitoring and Products” (No. 201008002).


  1. 1.
    Bonatti PA, Samarati P (2002) A uniform framework for regulating service access and information release on the web. J Comput Secur 10:241–271Google Scholar
  2. 2.
    Damiani E, di Vimercati SDC, Samarati P (2005) New paradigms for access control in open environments. In: Proceedings of the fifth IEEE international symposium on signal processing and information technology, December 2005, pp 540–545Google Scholar
  3. 3.
    ITU-T (2000) ITU-T recommendation X.509-ISO/IEC 9594-8: information technology and open systems interconnection and the directory: public-key and attribute certificate frameworks. Technical report, ITU-T, 2000.
  4. 4.
    Lang B, Foster Ian T, Siebenlist F, Ananthakrishnan R, Freeman T (2009) A flexible attribute based access control method for grid computing. J Grid Comput 7(2):169–180CrossRefGoogle Scholar
  5. 5.
    LeMay M, Fatemieh O, Gunter CA (2007) Policymorph: interactive policy transformations for a logical attribute-based access control framework. In: Proceedings of the 12th ACM symposium on access control models and technologies, SACMAT ‘07. ACM, New York, USA, pp 205–214Google Scholar
  6. 6.
    Loscocco PA and Smalley SD (2001) Meeting critical security objectives with securityenhanced linux. In: Proceedings of the 2001 Ottawa Linux symposium, July 2001Google Scholar
  7. 7.
    Loscocco PA, Smalley SD, Muckelbauer PA, Taylor RC, Jeff TS, Farrell JF (1998) The inevitability of failure: the flawed assumption of security in modern computing environments. In: Proceedings of the 21st national information systems security conference, pp 303–314Google Scholar
  8. 8.
    Moses T (2005) eXtensible Access Control Markup Language (XACML) Version 2.0. Technical report, OASIS, Febuary 2005.
  9. 9.
    Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 29:38–47CrossRefGoogle Scholar
  10. 10.
    Shen H, Hong F (2006) An attribute-based access control model for web services. In: Proceedings of the seventh international conference on parallel and distributed computing, applications and technologies, PDCAT ‘06, Washington, DC, USA, 2006. IEEE Computer Society, pp 74–79Google Scholar
  11. 11.
    Yu S, Ren K, Lou FW (2010) Toward fine-grained distributed data access control in wireless sensor networks. IEEE Trans Parallel Distrib Syst 99:255–273Google Scholar
  12. 12.
    Yuan E, Tong J (2005) Attributed based access control (abac) for web services. In: Proceedings of the IEEE international conference on web services, ICWS ‘05, Washington, DC, USA, 2005. IEEE Computer Society, pp 561–569Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2012

Authors and Affiliations

  • Feng Liang
    • 1
  • Haoming Guo
    • 1
  • Shengwei Yi
    • 1
  • Xiaoqiang Zhang
    • 1
  • Shilong Ma
    • 1
  1. 1.State Key Laboratory of Software Development EnvironmentBeihang UniversityBeijingChina

Personalised recommendations