Conference Paper

PolicyMorph: Interactive Policy Transformations for a Logical Attribute-Based Access Control Framework

New York, NY, USA
DOI: 10.1145/1266840.1266874 Conference: Proceedings of the 12th ACM symposium on Access control models and technologies
Source: DBLP


Constraint systems provide techniques for automatically analyzing the conformance of low-level access control policies to high-level business rules formalized as logical constraints. However, there are likely to be priorities for solutions that are not easy to encode formally, so administrator input is often important. This paper introduces PolicyMorph, a constraint system that supports interactive development and maintenance of access control policies that respect both formalized and un-formalized business rules and priorities. We provide a mathematical description of the system and an architecture for implementing it. We constructed a prototype that is validated using a case study in which constraints are imposed on a building automation system that controls door locks. PolicyMorph advances the state-of-the-art in constraint systems by suggesting predictable policy model modifications that will resolve specific constraint violations and then allowing policy administrators to select the appropriate mo

Full-text preview

Available from:
  • Source
    • "Synthesis formal framework structure was calculated by the attribute value extension strategy in [25], and put forward the strategies of the based on attribute synthetic ApoCA algebraic model. Thenit discusses the policy expressions of algebraic properties.Due to the complexity of strategy description, differences and different organizational domain control strategy makes it easier for the synthetic strategy.If synthetic strategy decision conflicts are detected and solved, the access control security authorization will not be able to guarantee related entities.The conflict rules of logic is used to analyze the strategies of the basic method.Policymorph system in [26] can detect the logical constraints, suggest to eliminate conflict, dynamic assessment help system administrator access control policy with logic constraints.[27] in description logic (DL) to formalize the XACML strategy, with the analysis of existing DL validation tool detection strategy of redundant rules. In formalization model research, [28] usesthe limit theory presents a logical framework LABAC, and uses the CLP in the set to describe attributes and services. "

    Preview · Article · Nov 2013
  • Source
    • "Wang et al and Lemay et al [12] [13] introduced logic programming theory for modeling attribute-based access control system and policy maintenance, therefore improving the faster policy transformation. Yuan and Tong [10] proposed the ABAC model in terms of policy model and architecture model and presented the mathematical formulation of the policy model. "
    [Show abstract] [Hide abstract]
    ABSTRACT: In order to collaborate large numbers of heterogeneous distributed devices over multiple domains within a modern large-scale device collaboration system, a fine-grained, flexible and secure approach is required for device authentication and authorization. This paper proposed a Multiple-Policy supported Attribute-Based Access Control model and its architecture to address these demands. With eXtensible Access Control Markup Language standard, this model exceeds the traditional Attribute-Based Access Control Model by providing cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show the performance of this architecture is acceptable within production environment.
    Full-text · Article · Mar 2012 · Journal of Networks
  • Source

    Full-text · Article ·
Show more