XACML中访问控制的重写

Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07) Pub Date : 2007-06-13 DOI:10.1109/POLICY.2007.31

Ja'far Alqatawna, E. Rissanen, B. S. Firozabadi

{"title":"XACML中访问控制的重写","authors":"Ja'far Alqatawna, E. Rissanen, B. S. Firozabadi","doi":"10.1109/POLICY.2007.31","DOIUrl":null,"url":null,"abstract":"Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the extensible access control markup language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.","PeriodicalId":240693,"journal":{"name":"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)","volume":"493 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"28","resultStr":"{\"title\":\"Overriding of Access Control in XACML\",\"authors\":\"Ja'far Alqatawna, E. Rissanen, B. S. Firozabadi\",\"doi\":\"10.1109/POLICY.2007.31\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the extensible access control markup language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.\",\"PeriodicalId\":240693,\"journal\":{\"name\":\"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)\",\"volume\":\"493 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-06-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"28\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/POLICY.2007.31\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/POLICY.2007.31","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 28

摘要

大多数访问控制机制关注的是如何以精确的方式定义用户的权限，以防止违反组织的访问控制策略。然而，在许多情况下，很难预先定义所有的访问需求，甚至很难用机器可读的形式表示它们。这种情况的一个例子是紧急情况，这种情况可能无法预测，并且很难表示为机器可读的条件。随意覆盖访问控制是处理这种难以定义且不可预见的情况的一种方法，在这种情况下，可用性至关重要。覆盖机制为访问控制策略的主体提供了覆盖被拒绝的决策的可能性，如果主体应该确认覆盖，则访问将被记录下来，以便进行特殊审计。XACML是一种可扩展的访问控制标记语言，它为表示访问控制策略提供了一种标准化的访问控制策略语言。本文介绍了XACML中的一种自主覆盖机制。我们通过XACML义务来实现这一点，并且还定义了一个通用的义务组合机制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Overriding of Access Control in XACML

Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the extensible access control markup language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)

自引率

0.00%

发文量