Idea: Efficient Evaluation of Access Control Constraints

by Achim D. Brucker and Helmut Petritsch

Cover for brucker.ea:efficient:2010.Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.

Especially in highly distributed systems, e.g., systems based on the service-oriented architecture (SOA) paradigm, the time for evaluating access control constraints depends significantly on the protocol between the central policy decision point (PDP) and the distributed policy enforcement points (PEP).

In this paper, we present an policy-driven approach for generating customized protocol for the communication between the PDP and the pep. Moreover, we provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.

Keywords: distributed policy enforcement, XACML, access control
Categories: ,
Documents: (full text as PDF file)

QR Code for brucker.ea:efficient:2010.Please cite this article as follows:
Achim D. Brucker and Helmut Petritsch. Idea: Efficient Evaluation of Access Control Constraints. In International Symposium on Engineering Secure Software and Systems (ESSoS). Lecture Notes in Computer Science (5965), pages 157-165, Springer-Verlag, 2010.
Keywords: distributed policy enforcement, XACML, access control
(full text as PDF file) (BibTeX) (Endnote) (RIS) (Word) (doi:10.1007/978-3-642-11747-3_12) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@InCollection{ brucker.ea:efficient:2010,
abstract = {Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.\\\\Especially in highly distributed systems, e.g., systems based on the service-oriented architecture (SOA) paradigm, the time for evaluating access control constraints depends significantly on the protocol between the central policy decision point (PDP) and the distributed policy enforcement points (PEP).\\\\In this paper, we present an policy-driven approach for generating customized protocol for the communication between the PDP and the pep. Moreover, we provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.},
address = {Heidelberg},
author = {Achim D. Brucker and Helmut Petritsch},
booktitle = {International Symposium on Engineering Secure Software and Systems (ESSoS)},
doi = {10.1007/978-3-642-11747-3_12},
editor = {F. Massacci and D. Wallach and N. Zannone},
isbn = {978-3-642-11746-6},
keywords = {distributed policy enforcement, XACML, access control},
language = {USenglish},
number = {5965},
pages = {157--165},
pdf = {https://www.brucker.ch/bibliography/download/2010/brucker.ea-efficient-2010.pdf},
publisher = {Springer-Verlag},
series = {Lecture Notes in Computer Science},
title = {Idea: Efficient Evaluation of Access Control Constraints},
url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-efficient-2010},
year = {2010},
}