Idea: Efficient Evaluation of Access Control Constraints

By Achim D. Brucker and Helmut Petritsch.

Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement.

Especially in highly distributed systems, e.g., systems based on the service-oriented architecture (SOA) paradigm, the time for evaluating access control constraints depends significantly on the protocol between the central policy decision point (PDP) and the distributed policy enforcement points (PEP).

In this paper, we present an policy-driven approach for generating customized protocol for the communication between the PDP and the pep. Moreover, we provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.

Keywords:
Distributed Policy Enforcement, XACML, Access Control

Please cite this work as follows:
A. D. Brucker and H. Petritsch, “Idea: Efficient evaluation of access control constraints,” in International symposium on engineering secure software and systems (ESSoS), F. Massacci, D. Wallach, and N. Zannone, Eds. Heidelberg: Springer-Verlag, 2010, pp. 157–165. doi: 10.1007/978-3-642-11747-3_12. Author copy: https://logicalhacking.com/publications/brucker.ea-efficient-2010/

BibTeX
@InCollection{ brucker.ea:efficient:2010,
  author    = {Achim D. Brucker and Helmut Petritsch},
  booktitle = {International Symposium on Engineering Secure Software and
               Systems (ESSoS)},
  language  = {USenglish},
  editor    = {F. Massacci and D. Wallach and N. Zannone},
  publisher = {Springer-Verlag },
  address   = {Heidelberg },
  series    = {Lecture Notes in Computer Science },
  title     = {Idea: Efficient Evaluation of Access Control Constraints},
  year      = {2010},
  pages     = {157--165},
  number    = {5965},
  doi       = {10.1007/978-3-642-11747-3_12},
  isbn      = {978-3-642-11746-6},
  areas     = {security, software},
  abstract  = {Business requirements for modern enterprise systems usually
               comprise a variety of dynamic constraints, i.e., constraints
               that require a complex set of context information only
               available at runtime. Thus, the efficient evaluation of
               dynamic constraints, e.g., expressing separation of duties
               requirements, becomes an important factor for the overall
               performance of the access control enforcement.
               
               Especially in highly distributed systems, e.g., systems based
               on the service-oriented architecture (SOA) paradigm, the time
               for evaluating access control constraints depends
               significantly on the protocol between the central policy
               decision point (PDP) and the distributed policy enforcement
               points (PEP).
               
               In this paper, we present an policy-driven approach for
               generating customized protocol for the communication between
               the PDP and the pep. Moreover, we provide a detailed
               comparison of several approaches for querying context
               information during the evaluation of access control
               constraints.},
  keywords  = {Distributed Policy Enforcement, XACML, Access Control},
  note      = {Author copy: \url{https://logicalhacking.com/publications/brucker.ea-efficient-2010/}},
  pdf       = {https://logicalhacking.com/publications/brucker.ea-efficient-2010/brucker.ea-efficient-2010.pdf},
}