Toward Self-Contained Authorization Policies

Abstract

One of the key motivations of policy-based management is flexibility and adaptability to existing infrastructure and change management. In the context of security, modern policy languages such as XACML are extensible and support natively the expression of new information and manipulation operations. However, policy engines, which evaluate users’ requests according to policies, may not support this new policy information. As a consequence, policy writers have to verify whether the target policy engine can execute his/her policy or not when (s)he writes it. In this article, we introduce the concept of self-contained policy to solve this deployment issue. A self-contained policy includes all the necessary information required by a policy engine to execute a policy. We propose a service component based architecture to support self-contained policies.