20 - STUDENT - Multi-data-types Interval Decision Diagrams for Attribute-based Access Control Policies Evaluation

Canh Ngo, Yuri Demchenko, Cees de Laat (University of Amsterdam)

XACML is the most widely used policy language based on attribute-based access control model. It adapts the complexity of resources in Grid and Cloud environments by allowing dynamic group assignments based on attributes. However, XACML policy evaluation performance may degrade the overall performance of the entire systems, especially when the number of policies expands proportional to the systems scales. Existing implementations primarily focus on improving the performance of the policy
rule evaluation with partial features of the OASIS XACML specifications. They are missing correctness of mandatory policy combining algorithms, handling missing attributes, obligations and advices, critical attribute priority, and complex comparison functions for multiple data types. We present a solution using generic data interval partition aggregation together with new decision diagram combinations, that not only optimizes evaluation performance but also provides correctness and completeness XACML 3.0
features missing from prior work.
Our approach is implemented in SNE-XACML engine which is applied in the Dynamic Access Control Infrastructure framework for Infrastructure On-demand Provisioning systems.

Download file