Daniel O. Díaz López, Ginés Dólera Tormo, Félix Gómez Mármol, Gregorio Martínez Pérez
Computers & Security, vol. 48, pp. 92-115
Publication year: 2015

Abstract

Policy-based authorization systems have been largely deployed nowadays to control different privileges over a big amount of resources within a security domain. With policies it is possible to reach a fine-grained level of expressiveness to state proper responses of a system against multiple access control requests. In this context, XACML has achieved a big popularity between both industry and academy as a standard for the definition of access control policies, as well as an architecture for the evaluation of authorization requests and for the issuing of authorization decisions. However, the applicability of XACML is still not clear in collaborative and distributed environments composed of several security domains sharing the access control over some specific resources. Such a circumstance manifests when many security domains can simultaneously define the behavior that a resource will have upon received authorization requests, like for instance an organization with many subsidiaries, a company with a service virtualization business model, etc. In this paper we propose a solution to reach an effective distributed policy management considering that a number of policies in one domain may be confidential. To this end, the default XACML architecture has been redefined in order to use i) Master and Slave PAPs to communicate security domains, ii) Meta-Policies to define privileges over access control policies (the policies become the managed resources) and iii) SAML extensions to protect the policy management messages which flow between security domains. The experiments and the defined scenarios in the paper prove the validity of the proposed solution.

Related Publications


Graph-Based XACML Evaluation

Conference
Santiago Pina Ros, Mario Lischka, Félix Gómez Mármol
17th ACM Symposium on Access Control Models and Technologies (SACMAT 2012), pp. 83-92, ISBN: 978-1-4503-1295-0, Newark, USA
Publication year: 2012

Dynamic counter-measures for risk-based access control systems: an evolutive approach

JournalQ1
Daniel O. Díaz López, Ginés Dólera Tormo, Félix Gómez Mármol, Gregorio Martínez Pérez
Future Generation Computer Systems, Special Issue on Trust, Security and Privacy in Distributed Systems, vol. 55, pp. 321-335
Publication year: 2016

Co-Authors

This work would not have been possible without the inestimable contribution of:

  • Daniel O. Díaz López
  • Ginés Dólera Tormo
  • Gregorio Martínez Pérez

Daniel O. Díaz López

Daniel O. Díaz López

University of Murcia

Web

Ginés Dólera Tormo

Ginés Dólera Tormo

University of Murcia

Web

Gregorio Martínez Pérez

Gregorio Martínez Pérez

University of Murcia

Web

Citation

Daniel O. Díaz López, Ginés Dólera Tormo, Félix Gómez Mármol, Gregorio Martínez Pérez, «Managing XACML systems in distributed environments through Meta-Policies«, Computers & Security, vol. 48, pp. 92-115, 2015

Journal Ranking & Impact Factor

  • Journal: Computers & Security
  • Category: Computer Science, Information Systems
  • Rank: 43/144
  • Quartile: Q2
  • Impact Factor: 1.640