Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

23.2.5 Attribute-Based Access Control (A... > Risk-Based Access Control - Pg. 584

584 CHAPTER 23 Policies, Access Control, and Formal Methods In XACML, a key notion is the notion of pol- icy representing a single access control policy, expressed through a set of rules. A rule speci- fies the target to which it applies and the effect of the rule; that is, Permit or Deny. The target basically models the access request, by means of a set of simplified conditions for the sub- ject, resource, and action that must be met, that is, evaluate to the Boolean value true, for the rule to apply to a given request. In other words, the target of a rule specifies the set of requests to which the rule is applicable; such specifica- tion is intentionally expressed by a set of con- ditions. Any number of rule elements may be used, each of which generates a true or false out- come. Combining these outcomes results in a sin- gle decision for the policy, which may be Permit, Deny, Indeterminate, or a Not Applicable deci- sion. A decision may also contain some obliga- tions, that is, actions, which must be executed · · · or specifying a set of conditions against some attributes associated with the entity. As such XML is an ABAC model. It supports a structured organization of access control policies. Basically the top element of an XACML policy is a set of policies, each of which aggregates other policy sets or poli- cy elements. The main component of a policy element is the rule set, consisting of multiple rules, that is, of multiple triple-based autho- rizations. It supports negative authorizations and pro- vides different algorithms for solving conflict- ing access control decisions resulting from dif- ferent rules (e.g., rule-combining algorithms) and from different policies (e.g. policy- combining algorithm). It is extensible. The elements of XACML that can be extended include: functions,