Formal representation of conflict zones in XACML access control systems

Abstract

In this work we propose a new approach for handling the problem of detection and resolution of conflicts/anomalies between XACML (eXtensible Access Control Markup Language) policies. We give more attention to the mathematical formalism of the problem. We introduce the notion of the canonical representation of the query space. This is a partition of the query space formed by authorization classes. Each authorization class regroups queries that are intercepted by the same policies. This classification provides a natural way to handle interferences between policy targets (in other words conflicts /anomalies). Then we bring the study of the problem from the whole query space to elements of its canonical representation. After, we study the impact of adding and deleting policies from the policy repository on the canonical representation. This is important when this canonical representation is integrated as a part of a Framework for conflict detection and resolution in XACML access control systems.