An advanced policy based authorisation infrastructure

Chadwick, David; Fatema, Kaniz

doi:10.1145/1655028.1655045

Cited by 12 publications

(9 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first beta version is available for download from the PERMIS web site 1 . This contains the AIPEP, CVS, the Obligations Service, a Master PDP, a policy store and sticky store, and multiple PDPs of different types.…”

Section: Implementation Detailsmentioning

confidence: 99%

See 1 more Smart Citation

A Multi-privacy Policy Enforcement System

Fatema

Chadwick

Lievens

2011

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

Abstract. Organisations are facing huge pressure to assure their users about the privacy protection of their personal data. Organisations may need to consult the privacy policies of their users when deciding who should access their personal data. The user's privacy policy will need to be combined with the organisation's own policy, as well as policies from different authorities such as the issuer of the data, and the law. The authorisation system will need to ensure the enforcement of all these policies. We have designed a system that will ensure the enforcement of multiple privacy policies within an organisation and throughout a distributed system. The current paper is an enhanced version of [1] and it takes the research one step further.

show abstract

Section: Implementation Detailsmentioning

confidence: 99%

“…We have designed a system that will ensure the enforcement of multiple privacy policies within an organisation and throughout a distributed system. The current paper is an enhanced version of [1] and it takes the research one step further. …”

mentioning

confidence: 99%

A Multi-privacy Policy Enforcement System

Fatema

Chadwick

Lievens

2011

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

show abstract

“…This balance of rights is critical and other researches, when designing policy based authorization systems to protect the privacy of personal data, have often overlooked this matter and focused primarily on the policy of the data subject [8,9]. In comparison, we have attempted to support this balance by building multiple policy decision points (PDPs) into the authorization system so that all the stakeholders can express their own independent policies [2]. The system is designed to include access control polices and conflict resolution polices [3] from different authors, possibly written in different policy languages (such as XACMLv2 [12], XACMLv3 [13], PERMIS [14], P3P [15] and so on) and these policies will be enforced in separate PDPs.…”

Section: Introductionmentioning

confidence: 99%

“…This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2,3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions.…”

mentioning

confidence: 99%

Extracting Access Control and Conflict Resolution Policies from European Data Protection Law

Fatema

Chadwick

Alsenoy

2012

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

Abstract. This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2,3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions. The legal conflict resolution policy is configured into a Master PDP to make sure that the legal access control policy gets priority over access control policies provided by other authorities i.e. the data subject, the data issuer and the data controller. We describe how clauses of the Directive are converted into access control rules based on attributes of the subject, action, resource and environment. There are currently some limitations in the conversion process, since the majority of provision require additional interpretation by humans. These provisions cannot be converted into deterministic rules for the PDP. Other provisions do allow for the extraction of PDP rules but need to be tailored to the application environment before they are configured into the Legal PDP.

show abstract

“…This is even more problematic in a distributed environment with independent PDP and PEP, such as in SOA or SaaS scenarios. In these kinds of environments distributed evaluation of policies as presented in [6] or [4] will result into merged set of obligations whose interrelation has to be specified. As the deployed PEP and PDP might be under the responsibility of different entities an explicit definition of the supported obligation is required.…”

Section: Introductionmentioning

confidence: 99%

Dynamic obligation specification and negotiation

Lischka¹

2010

2010 IEEE Network Operations and Management Symposium - NOMS 2010

View full text Add to dashboard Cite

OASIS XACML has become a recognized standard for the specification of access control policies, and has specified a generic framework for access control. While the XACML policy language is very flexible for access privileges, there is currently no method to specify the obligations send from a policy decision point (PDP) to a policy enforcement point (PEP) in a generic way. Potential conflicts between obligations are not even considered in the language specification, thus no generic detection of these conflicts is possible. But this becomes an important aspect in a distributed environment like SaaS, in which the policies and their enforcement are not coordinated by a single entity. In this paper we will present a dynamic obligation specification language which covers the following aspects. First, it allows us to define the actual obligation and its parameters including the relationship, especially conflicts among them. Second, the negotiation of the supported obligation between distributed PDP and PEP is introduced. Third, potential conflicts are detected and partially solved at runtime based on the definition of the obligations. We show how the introduced extensible obligation markup language (XOML) could be integrated into the XACML standard.

show abstract

An advanced policy based authorisation infrastructure

Abstract: The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.

Cited by 12 publications

References 14 publications

A Multi-privacy Policy Enforcement System

A Multi-privacy Policy Enforcement System

Extracting Access Control and Conflict Resolution Policies from European Data Protection Law

Dynamic obligation specification and negotiation

Contact Info

Product

Resources

About