Databases Reference
In-Depth Information
2 Policy Specification Languages
Generally speaking, there are three types of policy representation regarding
access authorization:
access control policy specification languages
,
privacy pol-
icy specification languages
,and
formal specification languages
. Access control
policy specification languages include XACL, XACML, and Authorization
Specification Language (ASL) [11, 12]. Privacy policy specification languages
include P3P [15], and EPAL [2]. The XACML also covers some features of pri-
vacy policy. Formal specification languages include Alloy [1], Formal Tropos
[6], KAOS [5], Larch [7], UML [16][19], and Z [18]. Moreover, as Web services
become more and more common in use, the WS-Policy framework[20] for Web
services, is also well-known.
In this chapter, we briefly introduce the access control policy specification
languages of XACL, XACML, and the Web services governance specification
of WS-Policy framework as they can be broadly used in various XML-based
systems, and as standardized by specific organizations.
3 Example XML Document and Associated Policy
First, we use a sample XML document and policy to illustrate how to represent
fine-grained access control policy for XML documents. The example is a Web-
based paper review application that simulates a typical anonymous paper-
reviewing process. In addition, all of the access control policies in this chapter
are specified for this XML document.
Authors submit their papers and a chairperson assigns one or more re-
viewers to each submitted paper.
•
The reviewers read and evaluate the papers assigned to them without
knowing who the authors are.
•
The program committee members read the reviewers' evaluations and de-
cide which papers should be accepted.
•
The chairperson makes the final decisions on the accepted papers.
•
•
Each author receives notification of acceptance or rejection.
The review summary XML document stores all of the information and
the states for the reviewing process such as the author information and the
evaluation results. Figure 1 shows such an XML document that includes one
paper submission from Carol, which final decision is to accept reviewed by
a reviewer Robert with a rating of 3.5. Any operations regarding the paper
review process can be represented as an access to the XML document such as
a read access to the paper
id
attribute and an update access to the
result
element.
We need to specify appropriate access control policies that will be enforced
on this XML document in order to support the anonymous paper reviewing
process. Figure 2 shows an example access control policy specified on the
