Databases Reference
In-Depth Information
policies to be composed may even not be aware of the access control system
adopted by the other entities specifying access control rules. The main desider-
ata for a policy composition framework can be summarized as follows [36].
•
Heterogeneous policy support.
The framework should support policies ex-
pressed in different languages and enforced by different mechanisms.
•
Support of unknown policies.
The framework should support policies that
are not fully defined or are not fully known when the composition strategy
is defined. Consequently, policies are to be treated as black-boxes and are
supposed to return a correct and complete response when queried at access
control time.
•
Controlled interference.
The framework cannot simply merge the sets of
rules defined by the different administrative entities, since this behavior
may cause side effects. For instance, the accesses granted/denied might
not correctly reflect the specifications anymore.
•
Expressiveness.
The framework should support a number of different ways
for combining the input policies, without changing the input set of rules
or introducing ad-hoc extensions to authorizations.
•
Support of different abstraction levels.
The composition should highlight
the different components and their interplay at different levels of abstrac-
tion.
•
Formal semantics.
The language for policy composition adopted by the
framework should be declarative, implementation independent, and based
on a formal semantic to avoid ambiguity.
We now briefly describe some solutions proposed for combining different
policies.
4.1 Overview of Policy Composition Solutions
Various models have been proposed to reason about security policies [37,
38, 39, 40]. In [37, 39] the authors focus on the secure behavior of program
modules. McLean [40] introduces
the algebra of security
, which is a Boolean
algebra that enables to reason about the problem of policy conflict, arising
when different policies are combined. However, even though this approach
permits to detect conflicts between policies, it does not propose a method to
resolve the conflicts and to construct a security policy from inconsistent sub-
policies. Hosmer [38] introduces the notion of meta-policies, which are defined
as policies about policies. Metapolicies are used to coordinate the interaction
about policies and to explicitly define assumptions about them. Subsequently,
Bell [41] formalizes the combination of two policies with a function, called
policy combiner
, and introduces the notion of
policy attenuation
to allow the
composition of conflicting security policies. Other approaches are targeted to
the development of a uniform framework to express possibly heterogeneous
policies [42, 43, 44, 45, 46].
