Access control inference and feedback for policy managers: a fine-grained analysis

Abstract

As the IT infrastructure complexity and pervasiveness grows, autonomic computing can greatly simplify its deployment and usage. Essentially, the goal of autonomic computing is to shift the burden of management of the component systems from the user to the system. In order to accomplish this, autonomic computing demands that the system be able to accept high level policies, analyze them, and provide meaningful feedback to simplify the usage of the infrastructure by domain experts and minimize human involvement in the loop. Policies, in general are defined at a higher level in terms of business objects, their attributes, and operations. On the other hand managed resources, on which the policies are finally going to execute, have their own access control lists to limit the operations that an application user can perform. As a result, many policies which are syntactically and semantically correct, may fail to execute at run time due to ACL violations. This paper describes an approach wherein the information on access control provided at the managed resources level is leveraged to check for policy executability and provide meaningful feedback in case there are problems. This is done at policy specification time as opposed to runtime, which is not desirable, as is typically done by current systems. Furthermore, this avoids redundant access control specifications which can lead to inconsistencies in addition to being a burden on the user. A pragmatic approach for checking policy executability from an access control viewpoint and providing several types of feedback are the focus of this paper