Policy Evaluation and Dynamic Management Based on Matching Tree for XACML

Abstract

As a widely recognized policy language of access control, the eXtensible Access Control Markup Language (XACML) is widely used with its fine-grained and easy-to-read. With the application of XACML, researchers find that the XACML based policy evaluation and policy management methods can no longer meet the current large-scale requests for efficient access and dynamic management requirements. To improve the performance of policy evaluation based on XACML, we propose a policy evaluation method based on the matching tree to search policy efficiently and avoid the extra consumption of invalid policy participation. Furthermore, we propose a policy dynamic management method based on the matching tree to reduce the scale of the policy to be disabled for management, by adding locks in the tree node and the information mapping table. Through theoretical derivation and the factors that may affect its evaluation performance, we verify the improvement of evaluation efficiency. The simulation also shows the improvement of the evaluation engine based on the matching tree compared with OuenAz.