by Achim D. Brucker and Helmut Petritsch
Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.
Especially in highly distributed systems, e.g., systems based on the service-oriented architecture (SOA) paradigm, the time for evaluating access control constraints depends significantly on the protocol between the central policy decision point (PDP) and the distributed policy enforcement points (PEP).
In this paper, we present an policy-driven approach for generating customized protocol for the communication between the PDP and the pep. Moreover, we provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.
Keywords: distributed policy enforcement, XACML, access control
Categories: ,
Documents: (full text as PDF file)
Please cite this article as follows:
Achim D. Brucker and Helmut Petritsch.
Idea: Efficient Evaluation of Access Control Constraints.
In International Symposium on Engineering Secure Software and Systems (ESSoS). Lecture Notes in Computer Science (5965), pages 157-165, Springer-Verlag, 2010.
Keywords: distributed policy enforcement, XACML, access control
(full text as PDF file) (BibTeX) (Endnote) (RIS) (Word) (doi:10.1007/978-3-642-11747-3_12) (
abstract | = | {Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.\\\\Especially in highly distributed systems, e.g., systems based on the service-oriented architecture (SOA) paradigm, the time for evaluating access control constraints depends significantly on the protocol between the central policy decision point (PDP) and the distributed policy enforcement points (PEP).\\\\In this paper, we present an policy-driven approach for generating customized protocol for the communication between the PDP and the pep. Moreover, we provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.}, | |
address | = | {Heidelberg}, | |
author | = | {Achim D. Brucker and Helmut Petritsch}, | |
booktitle | = | {International Symposium on Engineering Secure Software and Systems (ESSoS)}, | |
doi | = | {10.1007/978-3-642-11747-3_12}, | |
editor | = | {F. Massacci and D. Wallach and N. Zannone}, | |
isbn | = | {978-3-642-11746-6}, | |
keywords | = | {distributed policy enforcement, XACML, access control}, | |
language | = | {USenglish}, | |
number | = | {5965}, | |
pages | = | {157--165}, | |
= | {https://www.brucker.ch/bibliography/download/2010/brucker.ea-efficient-2010.pdf}, | ||
publisher | = | {Springer-Verlag}, | |
series | = | {Lecture Notes in Computer Science}, | |
title | = | {Idea: Efficient Evaluation of Access Control Constraints}, | |
url | = | {https://www.brucker.ch/bibliography/abstract/brucker.ea-efficient-2010}, | |
year | = | {2010}, |