Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This results limiting when restrictions to be enforced come from different input requirements, possibly under the control of different authorities, and where the specifics of some requirements may not even be known a priori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. We address the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. We also illustrate a translation of policy expressions into equivalent logic programs, which provide the basis for the implementation of the language.
A modular approach to composing access control policies / P. Bonatti, S. De Capitani di Vimercati, P. Samarati - In: Proc. of the 7th ACM Conference on Computer and Communications Security[s.l] : ACM, 2000. - ISBN 1-58113-203-4. - pp. 164-173 (( Intervento presentato al 7. convegno 7th ACM Conference on Computer and Communications Security tenutosi a Athens, Greece nel 2000 [10.1145/352600.352623].
A modular approach to composing access control policies
S. De Capitani di VimercatiSecondo
;P. SamaratiUltimo
2000
Abstract
Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This results limiting when restrictions to be enforced come from different input requirements, possibly under the control of different authorities, and where the specifics of some requirements may not even be known a priori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. We address the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. We also illustrate a translation of policy expressions into equivalent logic programs, which provide the basis for the implementation of the language.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
