Databases Reference
In-Depth Information
Step 2. Subject-Check:
For each
xacl
element unit, check if the sub-
ject and the action are semantically equal to the corresponding spec-
ification in the
xacl
element.
Step 3. Condition-Check:
For each of the remaining
xacl
elements,
check if it meets the condition.
Step 4. Decision-Record:
Make a decision for each of the remaining
xacl
elements, where each decision includes the object, the subject,
and the action specified in the
xacl
element, and append all the de-
cisions to the authorization decision list.
Policy Evaluation Algorithm
The policy evaluation algorithm deals with propagation and conflict resolu-
tion. We note that this algorithm always outputs exactly one authorization
decision.
Input:
An authorization request.
Output:
A decision of
grant
or
deny
.
Step 1. Propagation Processing:
Call the basic matching algorithm
for the request and append the propagated access effects to the deci-
sion list.
Step 2. Conflict Resolution:
If there is a conflict on the request
object, resolve with the conflict resolution policy.
Step 2. Default Resolution:
If there is no authorization decision in
the list, make a decision according to the default policy and append
it to the decision list.
Step 3. Select one decision:
Select on evaluation result from the
list containing at least one decision.
4.2 XACML
XACML [10] is an access control policy specification language standardized by
OASIS. XACML defines the format for policy and request/response messages.
The scope of this language is to cover access control systems as broadly as
possible. Therefore, the XACML core schema is designed to be extensible for
yet unknown features.
XACML achieves interoperability of access control policies among hetero-
geneous computing platforms. The biggest difference from the XACL language
is that the XACL focuses on the access control policy only for XML data
1
,
while the generalized XACML policies support any resources, including XML
data.
1
Many portions of XACML policy model is originated from the XACL language
