20 resultados para XACML
Resumo:
This paper presents a modified approach to evaluate access control policy similarity and dissimilarity based on the proposal by Lin et al. (2007). Lin et al.'s policy similarity approach is intended as a filter stage which identifies similar XACML policies that can be analysed further using more computationally demanding techniques based on model checking or logical reasoning. This paper improves the approach of computing similarity of Lin et al. and also proposes a mechanism to calculate a dissimilarity score by identifying related policies that are likely to produce different access decisions. Departing from the original algorithm, the modifications take into account the policy obligation, rule or policy combining algorithm and the operators between attribute name and value. The algorithms are useful in activities involving parties from multiple security domains such as secured collaboration or secured task distribution. The algorithms allow various comparison options for evaluating policies while retaining control over the restriction level via a number of thresholds and weight factors.
Resumo:
XACML has become the defacto standard for enterprise- wide, policy-based access control. It is a structured, extensible language that can express and enforce complex access control policies. There have been several efforts to extend XACML to support specific authorisation models, such as the OASIS RBAC profile to support Role Based Access Control. A number of proposals for authorisation models that support business processes and workflow systems have also appeared in the literature. However, there is no published work describing an extension to allow XACML to be used as a policy language with these models. This paper analyses the specific requirements of a policy language to express and enforce business process authorisation policies. It then introduces BP-XACML, a new profile that extends the RBAC profile for XACML so it can support business process authorisation policies. In particular, BP-XACML supports the notion of tasks, and constraints at the level of a task instance, which are important requirements in enforcing business process authorisation policies.
Resumo:
Radio Frequency Identification (RFID) technology allows automatic data capture from tagged objects moving in a supply chain. This data can be very useful if it is used to answer traceability queries, however it is distributed across many different repositories, owned by different companies. © 2012 IEEE.
Resumo:
Service-Oriented Architecture (SOA) and Web Services (WS) offer advanced flexibility and interoperability capabilities. However they imply significant performance overheads that need to be carefully considered. Supply Chain Management (SCM) and Traceability systems are an interesting domain for the use of WS technologies that are usually deemed to be too complex and unnecessary in practical applications, especially regarding security. This paper presents an externalized security architecture that uses the eXtensible Access Control Markup Language (XACML) authorization standard to enforce visibility restrictions on trace-ability data in a supply chain where multiple companies collaborate; the performance overheads are assessed by comparing 'raw' authorization implementations - Access Control Lists, Tokens, and RDF Assertions - with their XACML-equivalents. © 2012 IEEE.
Resumo:
在XACML(extensible access control markup language)和其管理性策略草案的基础上,针对目前XACML访问控制框架的特点,提出将XACML策略管理权限判定归结为利用委托策略对一个委托判定请求的判定,使用XML(extensible markup language)模式定义了此委托判定请求语法,描述了将策略管理请求规约为一个委托判定请求的过程,以及根据委托策略进行委托判定请求的判定过程,通过这种方法可以利用委托策略,对策略管理请求是否有效进行判断,从而实现基于扩展XACML的策略管理。
Resumo:
根据XACML Admin中访问策略和管理策略混合的特点,提出了一个在PDP中将策略树分割为访问策略树和管理策略树来提高在线判定性能的匹配方案.在此基础上,根据委托的逻辑含义,通过构造委托图,去除管理策略树和访问策略树中的无效节点,从而使在线判定时不考虑引起拒绝服务攻击的无效策略.同时根据目前XACML Admin中模式定义的缺陷,提出了一种改进的模式定义,此模式定义使Delegates能够与XACML核心规范中Subjects,Resources等元素的处理规则保持一致,并能够更加有效地定义管理策略.以上这些方式能够有效地改善在线判定性能和阻止针对请求判定过程的拒绝服务攻击.
Resumo:
基于属性的声明式策略语言XACML表达能力丰富,满足开放式环境下资源访问管理的复杂安全需求,但其自身缺乏对规则冲突检测、规则冗余分析的支持.文中利用规则状态思想描述分析了属性层次操作关联带来的多种冲突类型,在资源语义树策略索引基础上利用状态相关性给出规则冲突检测算法;利用状态覆盖思想分析造成规则冗余的原因,给出在不同规则评估合并算法下的冗余判定定理.仿真实验首先分析了冲突检测算法的运行效率;然后针对多种策略判定系统,验证了基于语义树的策略索引和冗余规则处理可以显著提高判定性能.
Resumo:
安全与授权问题是企业应用的关键问题,而目前J2EE规范中的安全授权服务缺乏足够的安全描述能力.提出支持XACML安全策略的安全授权框架,为J2EE应用服务器的各个组件描述复杂的安全逻辑,并提供灵活的安全授权服务,降低了企业应用开发以及系统维护的成本.该框架在中科院软件所自主研发的J2EE应用服务器OnceAS中得到实现.
Resumo:
The paper addresses the issue of providing access control via delegation and constraint management across multiple security domains. Specifically, this paper proposes a novel Delegation Constraint Management model to manage and enforce delegation constraints across security domains. An algorithm to trace the authority of delegation constraints is introduced as well as an algorithm to form a delegation constraint set and detect/prevent potential conflicts. The algorithms and the management model are built upon a set of formal definitions of delegation constraints. In addition, a constraint profile based on XACML is proposed as a means to express the delegation constraint. The paper also includes a protocol to exchange delegation constraints (in the form of user commitments) between the involved entities in the delegation process.
Resumo:
It is not uncommon for enterprises today to be faced with the demand to integrate and incor- porate many different and possibly heterogeneous systems which are generally independently designed and developed, to allow seamless access. In effect, the integration of these systems results in one large whole system that must be able, at the same time, to maintain the local autonomy and to continue working as an independent entity. This problem has introduced a new distributed architecture called federated systems. The most challenging issue in federated systems is to find answers for the question of how to efficiently cooperate while preserving their autonomous characteristic, especially the security autonomy. This thesis intends to address this issue. The thesis reviews the evolution of the concept of federated systems and discusses the organisational characteristics as well as remaining security issues with the existing approaches. The thesis examines how delegation can be used as means to achieve better security, especially authorisation while maintaining autonomy for the participating member of the federation. A delegation taxonomy is proposed as one of the main contributions. The major contribution of this thesis is to study and design a mechanism to support dele- gation within and between multiple security domains with constraint management capability. A novel delegation framework is proposed including two modules: Delegation Constraint Man- agement module and Policy Management module. The first module is designed to effectively create, track and manage delegation constraints, especially for delegation processes which require re-delegation (indirect delegation). The first module employs two algorithms to trace the root authority of a delegation constraint chain and to prevent the potential conflict when creating a delegation constraint chain if necessary. The first module is designed for conflict prevention not conflict resolution. The second module is designed to support the first module via the policy comparison capability. The major function of this module is to provide the delegation framework the capability to compare policies and constraints (written under the format of a policy). The module is an extension of Lin et al.'s work on policy filtering and policy analysis. Throughout the thesis, some case studies are used as examples to illustrate the discussed concepts. These two modules are designed to capture one of the most important aspects of the delegation process: the relationships between the delegation transactions and the involved constraints, which are not very well addressed by the existing approaches. This contribution is significant because the relationships provide information to keep track and en- force the involved delegation constraints and, therefore, play a vital role in maintaining and enforcing security for transactions across multiple security domains.
Resumo:
This thesis investigates the use of building information models for access control and security applications in critical infrastructures and complex building environments. It examines current problems in security management for physical and logical access control and proposes novel solutions that exploit the detailed information available in building information models. The project was carried out as part of the Airports of the Future Project and the research was modelled based on real-world problems identified in collaboration with our industry partners in the project.
Resumo:
Building information models have created a paradigm shift in how buildings are built and managed by providing a dynamic repository for building data that is useful in many new operational scenarios. This change has also created an opportunity to use building information models as an integral part of security operations and especially as a tool to facilitate fine-grained access control to building spaces in smart buildings and critical infrastructure environments. In this paper, we identify the requirements for a security policy model for such an access control system and discuss why the existing policy models are not suitable for this application. We propose a new policy language extension to XACML, with BIM specific data types and functions based on the IFC specification, which we call BIM-XACML.
Authorisation management in business process environments: An authorisation model and a policy model
Resumo:
This thesis provides two main contributions. The first one is BP-TRBAC, a unified authorisation model that can support legacy systems as well as business process systems. BP-TRBAC supports specific features that are required by business process environments. BP-TRBAC is designed to be used as an independent enterprise-wide authorisation model, rather than having it as part of the workflow system. It is designed to be the main authorisation model for an organisation. The second contribution is BP-XACML, an authorisation policy language that is designed to represent BPM authorisation policies for business processes. The contribution also includes a policy model for BP-XACML. Using BP-TRBAC as an authorisation model together with BP-XACML as an authorisation policy language will allow an organisation to manage and control authorisation requests from workflow systems and other legacy systems.
Resumo:
随着新兴分布式应用场景的不断涌现和企业组织受业务驱动影响下的安全需求逐步升级,传统访问控制手段和理念在诸如域间策略互操作、大规模策略处理、策略分析检测、访问判定实施效率、安全软件形态及开发模式等领域面临一系列的问题与挑战。本文基于这一现实背景和众多在研相关课题,针对访问授权策略集成涉及的若干关键技术展开理论研究和工程实践工作,主要取得了以下几个方面的成果: 1、对近年来域间互操作策略集成理论和技术的整体进展与演化进行细致梳理与剖析,从多维视角下对目前大量的域间授权互操作实现方案进行分类比较,详细分析典型方案的理论原理、技术优势和局限性,给出互操作策略集成理论发展的总体视图,概括了其基本特点和发展趋势。 2、在有向角色图的基础上提出一种具有动态自调节能力的域间映射规则演化模型,利用属性约束空间构建了节点间的演化语义,通过约束满足性系数和安全评定系数等相关的阈值评估实现映射规则调节机制,并给出完整的演化实施方案。解决了目前互操作场景中权限控制粒度过粗、映射关系不易改变以及缺乏演化语义等问题。 3、 基于规则状态思想提出面向XACML策略专有的规则冲突及规则冗余分析方法。该方案通过形式化推导分析了主体属性层次和资源属性层次操作关联导致的多种冲突类型及其本质原因,给出详细的冲突检测实施算法,实现冲突规则的域定位,利用状态覆盖思想分析造成规则冗余的原因,给出多种规则评估合并算法下的冗余判定定理。 4、针对策略规模缩减、高效策略索引等大规模策略处理的难点瓶颈,设计并实现了一种采用多层次优化技术的策略判定引擎。该引擎通过规则精化技术缩减策略库规模,利用判定结果缓存、属性缓存、策略缓存组成的多级缓存降低引擎和其他功能部件的通信损耗,基于两阶段策略索引技术提升策略检索及判定效率,通过仿真测试验证多层次优化技术带来的整体效率优势。 5、提出一种针对共性安全服务构件的开发组装和集成建模方法。利用面向切面编程、依赖注入、反射机制等技术搭建共性安全构件三层体系平台,通过BPEL语言编排安全服务构件的调用序列并设计安全访问业务流程,将构件开发与业务流程开发无缝结合,实现了快速拆卸、动态调整、实时组装的安全设施搭建平台。