B.Stepien, Amy Felty, Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML, in ARES 2016 proceedings
B.Stepien, A. Felty, S. Matwin, Challenges of Composing XACML Policies, in ARES 2014 proceedings
B. Stepien, A. Felty, S. Matwin, A Non-Technical XACML Target Editor for Dynamic Access Control Systems in proceedings SECOTS 2014
B.Stepien, A. Felty, S. Matwin, An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption, in ARES 2012 proceedings
B. Stepien, H. Khambhammettu, K. Adi, L. Logrippo, CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models, in ICC'12 WS - SFCS proceedings
B.Stepien, S.Matwin, A.Felty, Advantages of a Non-Technical XACML Notation in Role-Based Models, in the proceedings of the PST 2011 conference
B.Stepien, S.Matwin, A.Felty, Strategies for Reducing Risks of Inconsistencies in Access Control Policies, in proceedings of the ARES 2010 conference
B.Stepien, A.Felty, S.Matwin A
Non-technical User-Oriented Display Notation for XACML conditions in
MCETECH 2009 proceedings
V. Capretta, , B. Stepien, A. Felty, S. Matwin Formal
Correctness of Conflict Detection for Firewalls in FMSE'07 Conference
proceedings
Doctors and nurses are represented using the subject-id attribute.
Surgeries report and diagnosis are represented using the Document attribute.
Emergency and operating room are represented using the Location attribute.
Action is represented by the action-id attribute.
Furthermore, what does the word "and" really mean in the phrase "located in emergency room and operating room"? This means they can read in both locations right? Thus, what this policy really means is "located in emergency room or operating room".
Our non-technical notation allows to view and edit a XACML policy in a very concise way and thus really understand what it means. XACML is maintained as a machine readable representation for interoperability purposes.
the rendering of the above example in XACML 2.0 code can be found here: Press here to view the corresponding XACML 2.0 code
the rendering of the above example in XACML 3.0 code can be found here: Press here to view the corresponding XACML 3.0 code
Policy set: several_policies_example Policy: policy_1 - First applicable policy target: subject-id matches physician and resource-id matches diagnosis and action-id matches read oR action-id matches write Rule: rule_1_1 - Permit Policy: policy_2 - First applicable policy target: subject-id matches nurse or subject-id matches physician and resource-id matches surgeries report or resource-id matches diagnosis and action-id matches read Rule: rule_2_1 - Permit Policy: policy_3 - Deny overrides policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read Rule: rule_3_1 - Permit Policy: policy_4 - First applicable policy target: resource-id matches diagnosis Rule: rule_4_1 - Deny rule target: Consent is not given and action-id matches read or action-id matches email Condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday
Press here to view the corresponding XACML code for the above example
Conclicts are dangerous and need to be detected early in the policy composing process. The XACML policy and rule combining algorithm corresponds to tossing a coin. It does not resolve conflicts in a reasonned way. It merely postpones the awareness of conflicts but it produces immediate possibly catastrophic consequences. For example, granting access to an unauthorized person can lead to such consequences as Wikileaks. Also, denying access to medical records could lead to death of a patient in emergency situations.
18 conflicts have been detected conflict detection exec time: 641 ms ============================================================ A conflict has been detected between rules: policy_1 - rule_1_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_1 - rule: rule_1_1 : Permit policy target: subject-id matches physician and resource-id matches diagnosis and action-id matches read or action-id matches write --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_1 - rule_1_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_1 - rule: rule_1_1 : Permit policy target: subject-id matches physician and resource-id matches diagnosis and action-id matches read or action-id matches write --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: nurse vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_2 - rule: rule_2_1 : Permit policy target: subject-id matches nurse or subject-id matches physician and resource-id matches surgeries report or resource-id matches diagnosis and action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: nurse vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_2 - rule: rule_2_1 : Permit policy target: subject-id matches nurse or subject-id matches physician and resource-id matches surgeries report or resource-id matches diagnosis and action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_2 - rule: rule_2_1 : Permit policy target: subject-id matches nurse or subject-id matches physician and resource-id matches surgeries report or resource-id matches diagnosis and action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_2 - rule: rule_2_1 : Permit policy target: subject-id matches nurse or subject-id matches physician and resource-id matches surgeries report or resource-id matches diagnosis and action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: receptionist vs any value attribute: action-id value: email vs email attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: receptionist vs any value attribute: action-id value: email vs email attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: receptionist vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: receptionist vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: nurse vs any value attribute: action-id value: email vs email attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: nurse vs any value attribute: action-id value: email vs email attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: nurse vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: nurse vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: email vs email attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: email vs email attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Saturday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday ============================================================ A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1 because the following attributes values have satisfied both rules with opposite effects attribute: subject-id value: physician vs any value attribute: action-id value: read vs read attribute: Consent value: any value vs not given attribute: DayOfTheWeek value: any value vs Sunday attribute: resource-id value: diagnosis vs diagnosis Policy: policy_3 - rule: rule_3_1 : Permit policy target: subject-id matches receptionist or subject-id matches nurse or subject-id matches physician and resource-id matches general information or resource-id matches MRI or resource-id matches diagnosis and action-id matches email or action-id matches read --------------------------- Policy: policy_4 - rule: rule_4_1 : Deny policy target: resource-id matches diagnosis rule target: Consent is not given and action-id matches read or action-id matches email rule condition: DayOfTheWeek matches Saturday or DayOfTheWeek matches Sunday