Browse by author
Lookup NU author(s): Dr Charles Morisset
Full text for this publication is not currently held within this repository. Alternative links are provided below where available.
Access control has been proposed as "the" solution to prevent unauthorized accesses to sensitive system resources. Historically, access control models use a two-valued decision set to indicate whether an access should be granted or denied. Many access control models have extended the two-valued decision set to indicate, for instance, whether a policy is applicable to an access query or an error occurred during policy evaluation. Decision sets are often coupled with operators for combining decisions from multiple applicable policies. Although a larger decision set is more expressive, it may be necessary to reduce it to a smaller set in order to simplify the complexity of decision making or enable comparison between access control models. Moreover, some access control mechanisms like XACML~v3 uses more than one decision set. The projection from one decision set to the other may result in a loss of accuracy, which can affect the final access decision. In this paper, we present a formal framework for the analysis and comparison of decision sets centered on the notion of decision reduction. In particular, we introduce the notion of safe reduction, which ensures that a reduction can be performed at any level of policy composition without changing the final decision. We demonstrate the framework by analyzing XACML v3 against the notion of safe reduction. From this analysis, we draw guidelines for the selection of the minimal decision set with respect to a given set of combining operators.
Author(s): Morisset C, Zannone N
Editor(s): Sylvia L. Osborn, Mahesh V. Tripunitara, Ian Molloy
Publication type: Conference Proceedings (inc. Abstract)
Publication status: Published
Conference Name: 19th ACM Symposium on Access Control Models and Technologies
Year of Conference: 2014
Acceptance date: 03/03/2014
Library holdings: Search Newcastle University Library for this item