Formal Comparison of an Attribute Based Access Control Language for RESTful Services with XACML

Abstract

This work introduces RestACL - an access control language for RESTful Services - and compares it with XACML using formal methods. XACML is a generic approach that targets Attribute Based Access Control (ABAC) in general. RestACL is founded on the ideas of the ABAC model, too, but utilizes the concepts of REST enabling a quicker evaluation of access requests. This work gives a brief introduction over the main ideas of RestACL and proves its evidence by giving transformation rules to translate security policies from RestACL to XACML and vice versa. The formalized transformation descriptions show the expressive strength of RestACL, because they demonstrate that any generic ABAC policy written in XACML can be expressed with RestACL, too. The correctness and completeness of RestACL can be proved with the transformation rules, too.