Abstract
In this paper we show that the static conflict resolution strategy of XACML is not always sufficient to satisfy the policy needs of an organisation where multiple parties provide their own individual policies. Different conflict resolution strategies are often required for different situations. Thus combining one or more sets of policies into a single XACML ‘super policy’ that is evaluated by a single policy decision point (PDP), cannot always provide the correct authorisation decision, due to the static conflict resolution algorithms that have to be built in. We therefore propose a dynamic conflict resolution strategy that chooses different conflict resolution algorithms based on the authorisation request context. The proposed system receives individual and independent policies, as well as conflict resolution rules, from different policy authors, but instead of combining these into one super policy with static conflict resolution rules, each policy is evaluated separately and the conflicts among their authorisation decisions is dynamically resolved using the conflict resolution algorithm that best matches the authorisation decision request. It further combines the obligations of independent policies returning similar decisions which XACML can’t do while keeping each author’s policy intact.
Chapter PDF
Similar content being viewed by others
References
Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: 13th International Workshop on Database and Expert Systems Applications, pp. 483–487. IEEE Computer Society, Washington, DC (2002)
Mont, M.C.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches. In: International Conference on Trust and Privacy in Digital Business, Zaragoza (2004)
Ardagna, C.A., Bussard, L., Vimercati, S.D.C., Neven, G., Paraboschi, S., Pedrini, E., Preiss, F.-S., Raggett, D., Samarati, P., Trabelsi, S., Verdicchio, M.: PrimeLifePolicy Language. In: Workshop on Access Control Application Scenarios, W3C 2009(2009)
OASIS XACML 2.0. eXtensible Access Control Markup Language (XACML)Version 2.0, http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml#XACML20 (October 2005)
OASIS XACML 3.0. eXtensible Access Control Markup Language (XACML) Version 3.0, http://docs.oasisopen.org/xacml/3.0/xacml-3.0-corespec-en.html (April 16, 2009)
Dunlop, N., Indulska, J., Raymond, K.: Methods for Conflict Resolution in Policy-Based Management Systems. In: Proceedings of Seventh International Enterprise Distributed Object Computing Conference, pp. 98–109. EEE press, New York (2003)
Ma, C., Lu, G., Qiu, J.: Conflict detection and resolution for authorization policies in workflow systems. Journal of Zhejiang University Science A 10, 1082 (2009)
Russello, G., Dong, C., Dulay, N.: Authorisation and conflict resolution for Hierarchical Domains. In: Eight IEEE International Workshop on Policies for Distributed Systems and Networks (2007)
Syukur, E., Loke, S.W., Stanski, P.: Methods for Policy Conflict Detection and Resolution in Pervasive Computing Environments. In: Policy Management for Web Workshop in Conjunction with WWW2005 Conference, Chiba, Japan, May 10-14 (2005)
Lupu, E.C., Sloman, M.: Conflicts in Policy-Based Distributed Systems Management. IEEE Transactions on Software Engineering, 852–869 (1999)
Masoumzadeh, M.A., Jalili, R.: Conflict detection and resolution in context-aware authorization. In: 21st International Conference on Advanced Information Networking and Applications Workshops (2007)
Mohan, A., Blough, D.M.: An Attribute-based Authorization Policy Framework with Dynamic conflict Resolution. In: IDtrust, Gaithersburg, MD (2010)
Chadwick, D.W., Fatema, K.: A Privacy Preserving Authorisation System for the Cloud. Journal of Computer and System Sciences, vol 78(5), 1359–1373 (2012)
Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zhao, G., Chilro, R., Antunes, L.: How to securely break into RBAC: the BTG-RBAC model. In: Annual Computer Security Applications Conference, Honolulu, Hawaii, pp. 23–23 (2009)
Fatema, K., Chadwick, D.W., Van Alsenoy, B.: Extracting Access Control and Conflict Resolution Policies from European Data Protection Law. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IFIP AICT, vol. 375, pp. 59–72. Springer, Heidelberg (2012)
Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: PERMIS: A modular authorization infrastructure. Concurrency and Computation: Practice and Experience 11(20), 1341–1357 (2008)
SOAP UI, http://www.soapui.org
Fatema, K.: Adding Privacy Protection to Policy Based Authorisation Systems:PhD thesis, University of Kent, UK (to appear, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Fatema, K., Chadwick, D. (2014). Resolving Policy Conflicts - Integrating Policies from Multiple Authors. In: Iliadis, L., Papazoglou, M., Pohl, K. (eds) Advanced Information Systems Engineering Workshops. CAiSE 2014. Lecture Notes in Business Information Processing, vol 178. Springer, Cham. https://doi.org/10.1007/978-3-319-07869-4_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-07869-4_29
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07868-7
Online ISBN: 978-3-319-07869-4
eBook Packages: Computer ScienceComputer Science (R0)