Bernard Stepien
University of Ottawa
Research on Access Control Management
Publications
B.Stepien, Amy Felty, Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML, in ARES 2016 proceedings
B.Stepien, A. Felty, S. Matwin, Challenges of Composing XACML Policies,
in ARES 2014 proceedings
B. Stepien, A. Felty, S. Matwin, A Non-Technical XACML Target Editor for
Dynamic Access Control Systems in proceedings SECOTS 2014
B.Stepien, A. Felty, S. Matwin,
An Algorithm for Compression of XACML Access Control Policy Sets by Recursive
Subsumption, in ARES 2012 proceedings
B. Stepien, H. Khambhammettu, K. Adi, L. Logrippo,
CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control
Models, in ICC'12 WS - SFCS proceedings
B.Stepien, S.Matwin, A.Felty, Advantages
of a Non-Technical XACML Notation in Role-Based Models, in the proceedings
of the PST 2011 conference
B.Stepien, S.Matwin, A.Felty, Strategies
for Reducing Risks of Inconsistencies in Access Control Policies, in
proceedings of the ARES 2010 conference
B.Stepien, A.Felty, S.Matwin A
Non-technical User-Oriented Display Notation for XACML conditions in
MCETECH 2009 proceedings
V. Capretta, , B. Stepien, A. Felty, S. Matwin Formal
Correctness of Conflict Detection for Firewalls in FMSE'07 Conference
proceedings
Presentations
B.Stepien, A.Felty, S.Matwin
A
Non-technical User-Oriented Display Notation for XACML conditions
conference slides for MCETECH 2009
B.Stepien, A.Felty, S.Matwin
Testing Access Control tools conference slides for TTCN-3 User
Conference 2009
Contact: bernard@uottawa.ca
How to write XACML policies the easy way!
easyXACMLTM
a Non-Technical Notation for composing XACML targets and conditions
logic
The non-technical notation enables you to construct a XACML policy without
having to write it but presented in a human readable format at all times. The
software generates the correct XACML code for you.
An example
Informal XACML policy target:
"Allow physicians or nurses located in emergency room and operating room
to read surgeries report and diagnosis".
Modeling the rule using XACML
The above rule is represented in XACML
using attributes:
Doctors and nurses are represented using the subject-id attribute.
Surgeries report and diagnosis are represented using the Document attribute.
Emergency and operating room are represented using the Location attribute.
Action is represented by the action-id attribute.
Problem?
The above rule is highly ambiguous. What does the emergency and
operating room attribute apply to? In the informal rule above, it appears to
apply to both doctors and nurses. However, what we really tried to express is
that it applies only to nurses. Doctors are permitted to read these documents at
any time.
Furthermore, what does the word "and" really mean in the phrase "located in
emergency room and operating room"? This means they can read in both locations
right? Thus, what this policy really means is "located in emergency room
or operating room".
Solution
In XACML, there is no ambiguity because of the natural scope of
XML tags. All you need to do is proper nesting of operators. In our
non-technical notation, we preserve scope of XACML operators using the natural
indentation of XML without showing any XML.
Representation of the XACML rule target using a non-technical semi-formal
notation to express a XACML condition using a non-technical XACML authoring
tool
Our non-technical notation allows to view and edit a XACML policy in a very
concise way and thus really understand what it means. XACML is maintained as a
machine readable representation for interoperability purposes.
the rendering of the above example in XACML 2.0 code can be found here: Press here to view the corresponding XACML 2.0 code
the rendering of the above example in XACML 3.0 code can be found here: Press here to view the corresponding XACML 3.0 code
Advantages of a non-technical notation: Overview capability
It is
already difficult to read a single policy with only one rule in the XACML XML
form. Imagine reading 10 or 100 policies. The non-technical notation allows to
visually browse large sets of policies, thus giving the opportunity to spot
errors, conflicts or duplications.
Example of policy set overview
Policy set: several_policies_example
Policy: policy_1 - First applicable
policy target:
subject-id matches physician
and
resource-id matches diagnosis
and
action-id matches read
oR
action-id matches write
Rule: rule_1_1 - Permit
Policy: policy_2 - First applicable
policy target:
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches surgeries report
or
resource-id matches diagnosis
and
action-id matches read
Rule: rule_2_1 - Permit
Policy: policy_3 - Deny overrides
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
Rule: rule_3_1 - Permit
Policy: policy_4 - First applicable
policy target:
resource-id matches diagnosis
Rule: rule_4_1 - Deny
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
Condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
Press here to view the corresponding XACML code for the above
example
Automated Conflict and Redundancy Detection
In the above policy set
there are three redundant policies. Redundant policy and rule logic obscures the
policy specification and impacts on PDP performance. Here is one of them. The
two others are left as an exercise to the reader.
Conflicts detection example
Also, in the above policy set, there are 18
conflicts. These conflicts represent all combinations of attribute values that
satisfy policies and rules with opposite effect (permit vs deny).
Conclicts are dangerous and need to be detected early in the policy
composing process. The XACML policy and rule combining algorithm corresponds to
tossing a coin. It does not resolve conflicts in a reasonned way. It merely
postpones the awareness of conflicts but it produces immediate possibly
catastrophic consequences. For example, granting access to an unauthorized
person can lead to such consequences as Wikileaks. Also, denying access to
medical records could lead to death of a patient in emergency situations.
Listing of policy and rule conflicts
18 conflicts have been detected
conflict detection exec time: 641 ms
============================================================
A conflict has been detected between rules: policy_1 - rule_1_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_1 - rule: rule_1_1 : Permit
policy target:
subject-id matches physician
and
resource-id matches diagnosis
and
action-id matches read
or
action-id matches write
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_1 - rule_1_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_1 - rule: rule_1_1 : Permit
policy target:
subject-id matches physician
and
resource-id matches diagnosis
and
action-id matches read
or
action-id matches write
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: nurse vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_2 - rule: rule_2_1 : Permit
policy target:
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches surgeries report
or
resource-id matches diagnosis
and
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: nurse vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_2 - rule: rule_2_1 : Permit
policy target:
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches surgeries report
or
resource-id matches diagnosis
and
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_2 - rule: rule_2_1 : Permit
policy target:
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches surgeries report
or
resource-id matches diagnosis
and
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_2 - rule: rule_2_1 : Permit
policy target:
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches surgeries report
or
resource-id matches diagnosis
and
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: receptionist vs any value
attribute: action-id value: email vs email
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: receptionist vs any value
attribute: action-id value: email vs email
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: receptionist vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: receptionist vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: nurse vs any value
attribute: action-id value: email vs email
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: nurse vs any value
attribute: action-id value: email vs email
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: nurse vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: nurse vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: email vs email
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: email vs email
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Saturday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
============================================================
A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects
attribute: subject-id value: physician vs any value
attribute: action-id value: read vs read
attribute: Consent value: any value vs not given
attribute: DayOfTheWeek value: any value vs Sunday
attribute: resource-id value: diagnosis vs diagnosis
Policy: policy_3 - rule: rule_3_1 : Permit
policy target:
subject-id matches receptionist
or
subject-id matches nurse
or
subject-id matches physician
and
resource-id matches general information
or
resource-id matches MRI
or
resource-id matches diagnosis
and
action-id matches email
or
action-id matches read
---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny
policy target:
resource-id matches diagnosis
rule target:
Consent is not given
and
action-id matches read
or
action-id matches email
rule condition:
DayOfTheWeek matches Saturday
or
DayOfTheWeek matches Sunday
Bernard Stepien-University of Ottawa-Research on Access Control Management