Managing XACML Systems in Distributed Environments through Meta-Policies
Policy-based authorization systems have been largely deployed nowadays to control different privileges over a big amount of resources within a security domain. With policies it is possible to reach a fine-grained level of expressiveness to state proper responses of a system against multiple access c...
- Autores:
- Tipo de recurso:
- Fecha de publicación:
- 2015
- Institución:
- Universidad del Rosario
- Repositorio:
- Repositorio EdocUR - U. Rosario
- Idioma:
- eng
- OAI Identifier:
- oai:repository.urosario.edu.co:10336/28106
- Acceso en línea:
- https://doi.org/10.1016/j.cose.2014.10.004
https://repository.urosario.edu.co/handle/10336/28106
- Palabra clave:
- XACMLAccess control system
Distributed environments
SAMLAccess control policy
Policy management
- Rights
- License
- Restringido (Acceso a grupos específicos)
| id |
EDOCUR2_4c2f01382797517ecece32d256a62df9 |
|---|---|
| oai_identifier_str |
oai:repository.urosario.edu.co:10336/28106 |
| network_acronym_str |
EDOCUR2 |
| network_name_str |
Repositorio EdocUR - U. Rosario |
| repository_id_str |
|
| spelling |
1061695713600c1fc4eb8-7c03-4cd6-91e2-1cda74090326-11a62cb38-58e4-4d73-8980-52134ff498e4-1d69e31ab-85df-4ddb-9216-bef85db91deb-12020-08-19T14:45:48Z2020-08-19T14:45:48Z2015-01-02Policy-based authorization systems have been largely deployed nowadays to control different privileges over a big amount of resources within a security domain. With policies it is possible to reach a fine-grained level of expressiveness to state proper responses of a system against multiple access control requests. In this context, XACML has achieved a big popularity between both industry and academy as a standard for the definition of access control policies, as well as an architecture for the evaluation of authorization requests and for the issuing of authorization decisions. However, the applicability of XACML is still not clear in collaborative and distributed environments composed of several security domains sharing the access control over some specific resources. Such a circumstance manifests when many security domains can simultaneously define the behavior that a resource will have upon received authorization requests, like for instance an organization with many subsidiaries, a company with a service virtualization business model, etc. In this paper we propose a solution to reach an effective distributed policy management considering that a number of policies in one domain may be confidential. To this end, the default XACML architecture has been redefined in order to use i) Master and Slave PAPs to communicate security domains, ii) Meta-Policies to define privileges over access control policies (the policies become the managed resources) and iii) SAML extensions to protect the policy management messages which flow between security domains. The experiments and the defined scenarios in the paper prove the validity of the proposed solution.application/pdfhttps://doi.org/10.1016/j.cose.2014.10.004ISSN: 0167-4048https://repository.urosario.edu.co/handle/10336/28106engElsevier11592Computers and SecurityVol. 48Computers and Security, ISSN:0167-4048, Vol.48 (February, 2015); pp. 92-115https://www.sciencedirect.com/science/article/pii/S0167404814001503Restringido (Acceso a grupos específicos)http://purl.org/coar/access_right/c_16ecComputers and Securityinstname:Universidad del Rosarioreponame:Repositorio Institucional EdocURXACMLAccess control systemDistributed environmentsSAMLAccess control policyPolicy managementManaging XACML Systems in Distributed Environments through Meta-PoliciesGestión de sistemas XACML en entornos distribuidos mediante metapolíticasarticleArtículohttp://purl.org/coar/version/c_970fb48d4fbd8a85http://purl.org/coar/resource_type/c_6501Díaz López, Daniel OrlandoDólera Tormo,GinésMármol Gómez, FélixMartínez Pérez, Gregorio10336/28106oai:repository.urosario.edu.co:10336/281062021-06-03 00:51:10.838https://repository.urosario.edu.coRepositorio institucional EdocURedocur@urosario.edu.co |
| dc.title.spa.fl_str_mv |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| dc.title.TranslatedTitle.spa.fl_str_mv |
Gestión de sistemas XACML en entornos distribuidos mediante metapolíticas |
| title |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| spellingShingle |
Managing XACML Systems in Distributed Environments through Meta-Policies XACMLAccess control system Distributed environments SAMLAccess control policy Policy management |
| title_short |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| title_full |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| title_fullStr |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| title_full_unstemmed |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| title_sort |
Managing XACML Systems in Distributed Environments through Meta-Policies |
| dc.subject.keyword.spa.fl_str_mv |
XACMLAccess control system Distributed environments SAMLAccess control policy Policy management |
| topic |
XACMLAccess control system Distributed environments SAMLAccess control policy Policy management |
| description |
Policy-based authorization systems have been largely deployed nowadays to control different privileges over a big amount of resources within a security domain. With policies it is possible to reach a fine-grained level of expressiveness to state proper responses of a system against multiple access control requests. In this context, XACML has achieved a big popularity between both industry and academy as a standard for the definition of access control policies, as well as an architecture for the evaluation of authorization requests and for the issuing of authorization decisions. However, the applicability of XACML is still not clear in collaborative and distributed environments composed of several security domains sharing the access control over some specific resources. Such a circumstance manifests when many security domains can simultaneously define the behavior that a resource will have upon received authorization requests, like for instance an organization with many subsidiaries, a company with a service virtualization business model, etc. In this paper we propose a solution to reach an effective distributed policy management considering that a number of policies in one domain may be confidential. To this end, the default XACML architecture has been redefined in order to use i) Master and Slave PAPs to communicate security domains, ii) Meta-Policies to define privileges over access control policies (the policies become the managed resources) and iii) SAML extensions to protect the policy management messages which flow between security domains. The experiments and the defined scenarios in the paper prove the validity of the proposed solution. |
| publishDate |
2015 |
| dc.date.created.spa.fl_str_mv |
2015-01-02 |
| dc.date.accessioned.none.fl_str_mv |
2020-08-19T14:45:48Z |
| dc.date.available.none.fl_str_mv |
2020-08-19T14:45:48Z |
| dc.type.eng.fl_str_mv |
article |
| dc.type.coarversion.fl_str_mv |
http://purl.org/coar/version/c_970fb48d4fbd8a85 |
| dc.type.coar.fl_str_mv |
http://purl.org/coar/resource_type/c_6501 |
| dc.type.spa.spa.fl_str_mv |
Artículo |
| dc.identifier.doi.none.fl_str_mv |
https://doi.org/10.1016/j.cose.2014.10.004 |
| dc.identifier.issn.none.fl_str_mv |
ISSN: 0167-4048 |
| dc.identifier.uri.none.fl_str_mv |
https://repository.urosario.edu.co/handle/10336/28106 |
| url |
https://doi.org/10.1016/j.cose.2014.10.004 https://repository.urosario.edu.co/handle/10336/28106 |
| identifier_str_mv |
ISSN: 0167-4048 |
| dc.language.iso.spa.fl_str_mv |
eng |
| language |
eng |
| dc.relation.citationEndPage.none.fl_str_mv |
115 |
| dc.relation.citationStartPage.none.fl_str_mv |
92 |
| dc.relation.citationTitle.none.fl_str_mv |
Computers and Security |
| dc.relation.citationVolume.none.fl_str_mv |
Vol. 48 |
| dc.relation.ispartof.spa.fl_str_mv |
Computers and Security, ISSN:0167-4048, Vol.48 (February, 2015); pp. 92-115 |
| dc.relation.uri.spa.fl_str_mv |
https://www.sciencedirect.com/science/article/pii/S0167404814001503 |
| dc.rights.coar.fl_str_mv |
http://purl.org/coar/access_right/c_16ec |
| dc.rights.acceso.spa.fl_str_mv |
Restringido (Acceso a grupos específicos) |
| rights_invalid_str_mv |
Restringido (Acceso a grupos específicos) http://purl.org/coar/access_right/c_16ec |
| dc.format.mimetype.none.fl_str_mv |
application/pdf |
| dc.publisher.spa.fl_str_mv |
Elsevier |
| dc.source.spa.fl_str_mv |
Computers and Security |
| institution |
Universidad del Rosario |
| dc.source.instname.none.fl_str_mv |
instname:Universidad del Rosario |
| dc.source.reponame.none.fl_str_mv |
reponame:Repositorio Institucional EdocUR |
| repository.name.fl_str_mv |
Repositorio institucional EdocUR |
| repository.mail.fl_str_mv |
edocur@urosario.edu.co |
| _version_ |
1814167652375986176 |