Rew-XAC: An Approach to Rewriting Request for Elastic ABAC Enforcement with Dynamic Policies

Abstract

Attribute-based access control (ABAC) model manages access control through policies, based on incoming requests in which attributes are basic elements for constructing those policies and requests. Requests depend on existing policies in the system and when policies change attributes, request must be adapted to access resources. In XACML standard, there are four kinds of responses for a request: Permit, Deny, Not Applicable and Indeterminate, but the two last value bring no value to requesters. This paper focuses on rewriting requests received Not Applicable responses by reducing required resource for aligning with policies of systems. We set up a new model based on XACML 3.0 find out the most suitable policy to each input request in four aspects, including Action, Subject, Environment, and Resource to rewrite the request. Finally, the model is implemented based on AT&T Open Source. We use an XACML 3.0 framework, for verifying feasibility of the solution and measuring its performance.