Bernard Stepien

University of Ottawa

Research on Access Control Management

Publications

B.Stepien, Amy Felty, Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML, in ARES 2016 proceedings

B.Stepien, A. Felty, S. Matwin, Challenges of Composing XACML Policies, in ARES 2014 proceedings

B. Stepien, A. Felty, S. Matwin, A Non-Technical XACML Target Editor for Dynamic Access Control Systems in proceedings SECOTS 2014

B.Stepien, A. Felty, S. Matwin, An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption, in ARES 2012 proceedings

B. Stepien, H. Khambhammettu, K. Adi, L. Logrippo, CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models, in ICC'12 WS - SFCS proceedings

B.Stepien, S.Matwin, A.Felty, Advantages of a Non-Technical XACML Notation in Role-Based Models, in the proceedings of the PST 2011 conference

B.Stepien, S.Matwin, A.Felty, Strategies for Reducing Risks of Inconsistencies in Access Control Policies, in proceedings of the ARES 2010 conference

B.Stepien, A.Felty, S.Matwin A Non-technical User-Oriented Display Notation for XACML conditions in MCETECH 2009 proceedings

V. Capretta, , B. Stepien, A. Felty, S. Matwin Formal Correctness of Conflict Detection for Firewalls in FMSE'07 Conference proceedings

Presentations

B.Stepien, A.Felty, S.Matwin A Non-technical User-Oriented Display Notation for XACML conditions conference slides for MCETECH 2009
B.Stepien, A.Felty, S.Matwin Testing Access Control tools conference slides for TTCN-3 User Conference 2009

EmailContact: bernard@uottawa.ca

How to write XACML policies the easy way!

easyXACMLTM


a Non-Technical Notation for composing XACML targets and conditions logic

The non-technical notation enables you to construct a XACML policy without having to write it but presented in a human readable format at all times. The software generates the correct XACML code for you.

An example

Informal XACML policy target:

"Allow physicians or nurses located in emergency room and operating room to read surgeries report and diagnosis".

Modeling the rule using XACML

The above rule is represented in XACML using attributes:

Doctors and nurses are represented using the subject-id attribute.

Surgeries report and diagnosis are represented using the Document attribute.

Emergency and operating room are represented using the Location attribute.

Action is represented by the action-id attribute.

Problem?

The above rule is highly ambiguous. What does the emergency and operating room attribute apply to? In the informal rule above, it appears to apply to both doctors and nurses. However, what we really tried to express is that it applies only to nurses. Doctors are permitted to read these documents at any time.

Furthermore, what does the word "and" really mean in the phrase "located in emergency room and operating room"? This means they can read in both locations right? Thus, what this policy really means is "located in emergency room or operating room".

Solution

In XACML, there is no ambiguity because of the natural scope of XML tags. All you need to do is proper nesting of operators. In our non-technical notation, we preserve scope of XACML operators using the natural indentation of XML without showing any XML.

Representation of the XACML rule target using a non-technical semi-formal notation to express a XACML condition using a non-technical XACML authoring tool

Our non-technical notation allows to view and edit a XACML policy in a very concise way and thus really understand what it means. XACML is maintained as a machine readable representation for interoperability purposes.

the rendering of the above example in XACML 2.0 code can be found here: Press here to view the corresponding XACML 2.0 code

the rendering of the above example in XACML 3.0 code can be found here: Press here to view the corresponding XACML 3.0 code

Advantages of a non-technical notation: Overview capability

It is already difficult to read a single policy with only one rule in the XACML XML form. Imagine reading 10 or 100 policies. The non-technical notation allows to visually browse large sets of policies, thus giving the opportunity to spot errors, conflicts or duplications.

Example of policy set overview

Policy set: several_policies_example



Policy: policy_1 - First applicable
policy target:

   subject-id matches physician
and
   resource-id matches diagnosis
and
      action-id matches read
   oR
      action-id matches write


Rule: rule_1_1 - Permit


Policy: policy_2 - First applicable
policy target:

      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches surgeries report
   or
      resource-id matches diagnosis
and
   action-id matches read


Rule: rule_2_1 - Permit


Policy: policy_3 - Deny overrides
policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


Rule: rule_3_1 - Permit


Policy: policy_4 - First applicable
policy target:

   resource-id matches diagnosis


Rule: rule_4_1 - Deny
rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

Condition: 

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday

Press here to view the corresponding XACML code for the above example

Automated Conflict and Redundancy Detection

In the above policy set there are three redundant policies. Redundant policy and rule logic obscures the policy specification and impacts on PDP performance. Here is one of them. The two others are left as an exercise to the reader.

Conflicts detection example

Also, in the above policy set, there are 18 conflicts. These conflicts represent all combinations of attribute values that satisfy policies and rules with opposite effect (permit vs deny).

Conclicts are dangerous and need to be detected early in the policy composing process. The XACML policy and rule combining algorithm corresponds to tossing a coin. It does not resolve conflicts in a reasonned way. It merely postpones the awareness of conflicts but it produces immediate possibly catastrophic consequences. For example, granting access to an unauthorized person can lead to such consequences as Wikileaks. Also, denying access to medical records could lead to death of a patient in emergency situations.

Listing of policy and rule conflicts

18 conflicts have been detected
conflict detection exec time: 641 ms

============================================================

A conflict has been detected between rules: policy_1 - rule_1_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_1 - rule: rule_1_1 : Permit

policy target:

   subject-id matches physician
and
   resource-id matches diagnosis
and
      action-id matches read
   or
      action-id matches write


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_1 - rule_1_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_1 - rule: rule_1_1 : Permit

policy target:

   subject-id matches physician
and
   resource-id matches diagnosis
and
      action-id matches read
   or
      action-id matches write


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: nurse vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_2 - rule: rule_2_1 : Permit

policy target:

      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches surgeries report
   or
      resource-id matches diagnosis
and
   action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: nurse vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_2 - rule: rule_2_1 : Permit

policy target:

      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches surgeries report
   or
      resource-id matches diagnosis
and
   action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_2 - rule: rule_2_1 : Permit

policy target:

      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches surgeries report
   or
      resource-id matches diagnosis
and
   action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_2 - rule_2_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_2 - rule: rule_2_1 : Permit

policy target:

      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches surgeries report
   or
      resource-id matches diagnosis
and
   action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: receptionist vs any value

attribute: action-id value: email vs email

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: receptionist vs any value

attribute: action-id value: email vs email

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: receptionist vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: receptionist vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: nurse vs any value

attribute: action-id value: email vs email

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: nurse vs any value

attribute: action-id value: email vs email

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: nurse vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: nurse vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: email vs email

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: email vs email

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Saturday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday


============================================================

A conflict has been detected between rules: policy_3 - rule_3_1 and policy_4 - rule_4_1
because the following attributes values have satisfied both rules with opposite effects


attribute: subject-id value: physician vs any value

attribute: action-id value: read vs read

attribute: Consent value: any value vs not given

attribute: DayOfTheWeek value: any value vs Sunday

attribute: resource-id value: diagnosis vs diagnosis


Policy: policy_3 - rule: rule_3_1 : Permit

policy target:

      subject-id matches receptionist
   or
      subject-id matches nurse
   or
      subject-id matches physician
and
      resource-id matches general information
   or
      resource-id matches MRI
   or
      resource-id matches diagnosis
and
      action-id matches email
   or
      action-id matches read


---------------------------
Policy: policy_4 - rule: rule_4_1 : Deny

policy target:

resource-id matches diagnosis

rule target:

   Consent is not given
and
      action-id matches read
   or
      action-id matches email

rule condition:

   DayOfTheWeek matches Saturday
or
   DayOfTheWeek matches Sunday

Bernard Stepien-University of Ottawa-Research on Access Control Management