Reduction of access control decisions

Abstract

Access control has been proposed as "the" solution to prevent unauthorized accesses to sensitive system resources. Historically, access control models use a two-valued decision set to indicate whether an access should be granted or denied. Many access control models have extended the two-valued decision set to indicate, for instance, whether a policy is applicable to an access query or an error occurred during policy evaluation. Decision sets are often coupled with operators for combining decisions from multiple applicable policies. Although a larger decision set is more expressive, it may be necessary to reduce it to a smaller set in order to simplify the complexity of decision making or enable comparison between access control models. Moreover, some access control mechanisms like XACML~v3 uses more than one decision set. The projection from one decision set to the other may result in a loss of accuracy, which can affect the final access decision. In this paper, we present a formal framework for the analysis and comparison of decision sets centered on the notion of decision reduction. In particular, we introduce the notion of safe reduction, which ensures that a reduction can be performed at any level of policy composition without changing the final decision. We demonstrate the framework by analyzing XACML v3 against the notion of safe reduction. From this analysis, we draw guidelines for the selection of the minimal decision set with respect to a given set of combining operators.