An Attribute-based Authorization Policy Framework with Dynamic Conflict Resolution Apurva Mohan Douglas M. Blough SchoolofElectricalandComputerEngineering SchoolofElectricalandComputerEngineering GeorgiainstituteofTechnology GeorgiainstituteofTechnology Atlanta,GA,USA Atlanta,GA,USA [email protected] [email protected] ABSTRACT GeneralTerms Policy-basedauthorizationsystemsarebecomingmorecom- Security, Languages, Performance mon as information systems become larger and more com- plex. In these systems, to authorize a requester to access Keywords a particular resource, the authorization system must verify Attribute-basedauthorization,authorizationpolicy,conflict thatthepolicyauthorizestheaccess. Theoverallauthoriza- resolution tionpolicymayconsistofanumberofpolicygroups,where each group consists of policies defined by different entities. Each policy contains a number of authorization rules. The 1. INTRODUCTION accessrequestisevaluatedagainstthesepolicies,whichmay As information systems become more complex and dis- produceconflictingauthorizationdecisions. Toresolvethese tributed in nature, system administrators and users need conflictsandtoreachauniquedecisionfortheaccessrequest authorization systems which can help them share their re- attheruleandpolicylevel,ruleandpolicycombinational- sources, dataand applications with alarge number of users gorithms are used. In the current systems, these rule and without compromising security and privacy. Although tra- policy combination algorithms are defined on a static basis ditionalauthorizationsystemsaddressthebasicproblemof duringpolicycomposition,whichisnotdesirableindynamic granting access to only authorized individuals, they do not systems with fast changing environments. provide a number of desired features of modern authoriza- Inthis paper, we motivate the needfor changing the rule tionsystems. Theseinclude1)easilychangingauthorization and policy combination algorithms dynamically based on basedonaccessorroles,groupmemberships,institutionalaf- contextual information. We propose a framework that sup- filiations, location etc., 2) multiple authorities jointly mak- ports this functionality and also eliminates the need to re- ing authorization decision, 3) dynamically changing autho- compose policies if the owner decides to change the combi- rizationbasedonaccessorattributes,and4)GUI-basedgen- nationalgorithm. Itprovidesanovelmethodtodynamically eralpurposetoolsfordescriptionandmanagementofautho- addandremovespecializedpolicies,whileretainingtheclar- rization rules. Some traditional authorization systems pro- ityandmodularityinthepolicies. Theproposedframework vide some of these functions on an ad-hoc basis. Although also provides a mechanism to reduce the set of potential policieshavealwaysbeenpartofauthorizationsystems,they targetmatches,therebyincreasingtheefficiencyoftheeval- weremostlyburiedinotherfunctionalcodeandhencewere uation mechanism. We developed a prototype system to difficult to compose and analyze. demonstrate the usefulness of this framework by extending Modern policy-based authorization systems provide most somebasiccapabilitiesoftheXACMLpolicylanguage. We of these features. They have a separate policy module that implementedtheseenhancementsbyaddingtwospecialized can be queried to make authorization decisions. This mod- modulesandseveralnewcombinationalgorithmstotheSun ule makes decisions taking into consideration all applicable XACML engine. policies for a particular access request. These policies may be defined by multiple authorities. The policies may have CategoriesandSubjectDescriptors different or even conflicting authorization decisions for the same access request. Policy languages use policy combi- K.6.5 [Management of Computing and Information nation algorithms (PCA) to resolve such conflicts. These Systems]: Securityandprotection;D.4.6[OperatingSys- algorithms take the authorization decision from each policy tems]: Security and protection as input and apply some standard logic to come up with a final decision1. These PCAs are currently chosen at the time of policy composition and hence they are static. In highly dynamic Permissiontomakedigitalorhardcopiesofallorpartofthisworkfor environments,thisisnotdesirableandtheremaybeaneed personalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesare notmadeordistributedforprofitorcommercialadvantageandthatcopies to select these PCAs dynamically. In this case, it will be bearthisnoticeandthefullcitationonthefirstpage.Tocopyotherwise,to useful to have a mechanism to select a suitable PCA based republish,topostonserversortoredistributetolists,requirespriorspecific 1Forefficiencyreasons,policyenginesonlyevaluatepolicies permissionand/orafee. IDtrust’10April13-15,2010,Gaithersburg,MD until they reach a final decision based on the combination algorithm. Copyright2010ACMISBN978-1-60558-895-7/10/04...$10.00. onthedynamiccontextualinformationavailabletothesys- (XACML)asanexampletointroducetheprimaryelements, tem. More discussion on this issue along with a motivating theseelementsaresimilarinotherpolicylanguagesaswell. scenario is presented in Section 3. XACML is an OASIS standard that describes a policy PCAs used in current systems are also very restricted. language for representing authorization policies and an ac- There are a number of conflict resolution logics in general cesscontroldecisionrequest/responselanguage[2]. XACML purpose computing which are not expressible as PCAs in is based on XML. It describes general access control re- authorization languages. Examples of these logics include quirements while allowing for extensions for defining new hierarchy-basedresolution,priority-basedresolution,taking functions,datatypesandcombinationlogics. Thelanguage asimplemajorityvote,andtakingaweightedmajorityvote. hassyntaxfordefiningauthorizationpoliciesandbuildinga ThereisaneedtoincludealgorithmssuchastheseasPCAs request/response to validate authorization requests against inauthorizationlanguagestoprovidemorefunctionalityand the policies. The response contains one of the four possible flexibility in defining policies. outcomesofpolicyevaluation-Permit,Deny,Indeterminate Having a context-aware authorization system also pro- (an error occurred or some required value was missing, so vides the capability to define different policies for different a decision cannot be made) or Not Applicable (the request contexts. These contexts can be distinguished by contex- can’t be answered by this service). tualdataorenvironmentalattributes. Inthiscase,thepoli- XACMLhasaPolicyEnforcementPoint(PEP)thatactu- cies will be modular making them easy to comprehend and allyprotectstheresourceandaPolicyDecisionPoint(PDP) analyze. Without the ability to choose the applicable poli- that evaluates the access request against the policies. The ciesbasedoncontextualinformation,thepolicycomposeris PEP receives the access request from the requesting user forced to duplicate each access control rule with and with- and forwards it to the PDP which makes the decision in outthecontextualinformationinthesamepolicy. Although consultation with the policies. If the access is allowed, the thesameaccesscontroldecisioncanbeachievedinbothap- PEP release the resource to the requesting user. The main proaches,thelattermakesitdifficulttoanalyzethepolicies components of a XACML policy are described below: and the effect of making changes to them. Also if policies Policy - An XACML policy contains a set of rules with arechosendynamically,onlyasmallsetofruleswillbeeval- the subject and environment attributes, resources and cor- uated for their applicability for this request. This reduces respondingactions. Ifmultiplerulesareapplicabletoapar- thenumberofmatcheswithpotentialpolicytargetsthereby ticularrequest,thentherulecombinationalgorithm(RCA) lowering computation time. combinestherulesandresolesanyconflictintheirdecisions. Another advantage of using context-aware authorization XACMLsupportsthefollowingRCA’s-Deny-overrides(Or- isthataspecializedpolicycreatedforsomespecificpurpose dered and Unordered),Permit-overrides (Ordered and Un- can be added and removed from consideration dynamically ordered), and First-applicable. without changing the existing policies. This is especially Policy Set - A policy set is a container which contains usefulforsystemsthathavetoadheretocertaintemporary other policies or policy set. One or more of these poli- authorizationrequirementswhichrequirespecialauthoriza- cies or policy sets may be applicable to a particular ac- tion rules. This is also useful in cases where the specialized cess request. If more than one are applicable, then the policy is composed by some entity other than the one who Policy Combination Algorithms (PCA) are used to com- usually creates and maintains authorization policies. binethepoliciesandresolveanyconflictsintheirdecisions. The main contributions of this paper are: 1) proposing XACMLsupportsthefollowingPCA’s-Deny-overrides(Or- a framework where authorization for a particular access re- dered and Unordered),Permit-overrides (Ordered and Un- quest is decided dynamically based on context information, ordered), First-applicable, and Only-one-applicable. 2) supporting dynamic conflict resolution where PCAs are Target - A Target is basically a set of conditions for the chosenatruntimebasedoncontextinformation,3)provid- Subject,ResourceandActionthatmustbemetforaPolicy ing the ability to dynamically include (remove) specialized, Set, Policy or Rule to apply to a given request. short-term or add-on policies to (from) the authorization Rule - The rule is the core representation of the access policyset,4)increasingtheefficiencyofpolicytargetmatch- controllogicwiththesubject,resource,actionandenviron- ing during authorization, 5) increasing the modularity and mentfields. Itisabooleanfunction,whichevaluatestotrue clarityofthepolicies,6)buildingaprototypeauthorization ifthesubject,resource,actionandenvironmentfieldsinthe system to demonstrate the concepts, and 7) evaluating effi- request matches with the fields in the rule. ciency of the policy evaluation for the proposed framework. 2.2 AuthorizationPolicy 2. ATTRIBUTE-BASEDAUTHORIZATION Inanattribute-basedsystem,objectsareprotectedbyad- ministrator (or object owner) defined policies. These poli- SYSTEMS cies define a set of verifiable attributes (with pre-defined In this section, we first introduce the basic constructs of values) against each resource for a set of privileges. These attribute-basedpolicylanguages. Wethendescribesomeba- attributes are either the characteristics of the user or the sicconceptsofattribute-basedauthorizationsystems,define environment. Theseattributesmustbepresentedtotheau- attribute-basedpolicies, andpolicycombinationalgorithms thorization module and verified by it in order to authorize used in conflict resolution. the accessing user to access the requested object with spe- cific privileges. Since the attributes have to be verifiable, 2.1 BriefIntroductiontoPolicyLanguages theyhavetobecertifiedbysomeentitywhichistrustedby In this sub-section, we introduce the basic elements of the authorization module. attribute-based authorization policy languages. Although An attribute-based authorization policy is formally de- here we use eXtensible Access Control Markup Language fined below. Definition 1 : LetSA,RAandEArepresenttheSubject, whichisanOASISstandard. XACMLisanattribute-based Resource and Environmental attributes respectively, each policydescriptionlanguageandisusedforimplementingour of which is well defined set of finite cardinality, given as prototype system. Although we use XACML for discussion SA = {sa ,sa .........sa}, RA = {ra ,ra .........ra } and and implementation, the model we present in this paper is 1 2 l 1 2 m EA={ea ,ea .........ea }. Theseattributescantakevalues generic and can be implemented in other policy languages 1 2 n val sa ⊆dom(sa )(1<i<l),val ra ⊆dom(ra )(1<j < like P3P [4] or EPAL [1]. i i j j m) and val ea ⊆dom(ea )(1<k<n). k k Attributes can be of two types, one which can take dis- 2.3 CombinationAlgorithmsandConflictRes- tinct and unconnected values (for e.g. ‘role’=‘doctor’ or olution ‘role’=‘nurse’) and another type which can take a single or In a large system, there may be multiple authorities who range of values (for e.g. ‘time’ is between t and t or ‘age’ 1 2 specifytheauthorizationpolicies. Assuch,therecanbemul- ≤ 21). In the latter case, the values that an attribute can tiple groups of policies. When a request is evaluated in the take are connected. Without loss of generality, we define system, the authorization module determines which policy thelattergroupasattributeswhichcantakeeitherasingle sets apply to the particular request. Then it checks which value or a range of values. For example, for a range of sa , j policies among those groups and which rules among those the domain and values are defined as follows: policiesareapplicabletotherequest. Therecanbemultiple Attribute Type 1 - policy sets and multiple policies in each set applicable to a dom(sa )=[sa val ,sa val ...sa val ],val sa ∈dom(sa ); j j 1 j 2 j n j j single access request. Even within each policy there can be Attribute Type 2 - multipleruleswhichapplytotheaccessrequest. Theserules dom(sa )=[low,high], val sa =[low(cid:48),high(cid:48)]⊆dom(sa ); j j j andpoliciescanhaveadifferentorevenconflictingdecision where, (low(cid:48) ≥low) and (high(cid:48) ≤high). If val sa takes a j for the request. As such, a mechanism is needed to resolve distinct value in [low,high], then low(cid:48) =high(cid:48). these conflicts. Policy languages have some rule combina- Definition 2 : Let Action define a set of actions which a tionalgorithms(RCAs),whichevaluatetheapplicablerules subjectcanexecuteonresources. ACT ={act ,act .........act }. 1 2 p based on the logic of the algorithm and resolve any conflict Forexample,thesetofactionsonafilecanbe{read,write, in their decisions. delete,append,execute}. LetD bethesetofdecisionsthat Definition 6 : In a single policy, E(AR,R ) → d , where can result as a response to a predicate evaluating to true. i i E representstheevaluationoftheith ruleandd isthecor- D={d ,d .........d }. i 1 2 q responding decision. The set of all the decisions is given as Definition 3 : An access request (AR) is a tuple of the DRule = (< d ,d ,...,d >). Rule Combination Algorithm form < s,r,a > , where s ⊆ {SA,EA}, r ⊆ {RA} and 1 2 x (RCA) is defined as {RCA φ DRule} → d, where d (cid:15) D. φ a ⊆ {ACT}. It represents that s is requesting to access r represents ‘applied to’. with rights a. A Rule R has the same format but defines Forexample,apolicymayuse‘deny-overrides’asitsRCA. the set s required to access r with rights a. In this case, if the algorithm finds even a single rule that Definition 4 : ApolicyisalistofrulesgivenasP =(⊕,< denies the access, its final decision is ‘deny’; otherwise its R ,R .........R >). ⊕ is a combination function, which 1 2 s decision is ‘permit’ even if a single rule permits. If none of combinestherulestoproduceasingledecisionforthepolicy. theruleseither‘permit’or‘deny’theaccess,thentheresult Definition 5 : APolicySet(PS)isacontainerwhichcon- is ‘Not Applicable’. tainsalistofpolicies. Itmayalsocontainotherpolicysets. For combining the policies and policy groups, policy lan- It is given as PS = ((cid:11),< PS ,PS ,...PS >). Each PS 1 2 i t guages have policy combination algorithms (PCAs). These representseitherapolicysetorasinglepolicy2. (cid:11)isacom- algorithms work on similar logic as the RCAs. Each policy bination function, which combines all the policy sets. This giveasingledecisionfortheaccessrequest. ThePCAcom- combinationfunctionisusedtocombinepoliciesandpolicy binesthesedecisionsintoasingledecisionbyusingthePCA sets and has no direct relation with the rule combination logic. algorithm. Definition 7 : In the final policy list, E(AR,PS ) → d , Conceptually, a policy is a deliberate plan to implement i i where E represents the evaluation of the ith policy set and authorizationtoaparticularresourceorgroupofresources. d isthecorrespondingdecision. Thesetofallthedecisions A rule is a component of the policy that defines a specific i is given as DPS = {d ,d ,...,d }. Policy Combination Al- authorizationpredicate. Apolicysetisacontainerthatcon- 1 2 x gorithm (PCA) is defined as {PCA φ DPS}→d, where d (cid:15) tains a number of logically connected policies. In a multi- D. authoritysettingwheretheauthorizationpoliciesforapar- In the current systems, these RCAs and PCAs are static ticularresourcearedefinedbyanumberofentities,allpoli- and are determined at the time of composing the policies. ciesforthatparticularresourcewillformalogicalpolicyset. For example, at a university, the firewall policies to protect a lab computer may be a combination of the policy defined 3. DYNAMICCONFLICTRESOLUTION centrally by the office of information technology, a specific In the last section, we saw how RCAs and PCAs resolve departmentpolicy,alabfirewallpolicy,andtheadministra- the conflicts among rules and policies to give a unique de- tor defined policy for that computer. A policy set encom- cision for an access request. We also noted that, in exist- passes all of these policies. The policies can be defined in a ing systems, these RCAs and PCAs are chosen at the time numberofpolicydescriptionlanguages. Eachhasitsadvan- of composing the policies and hence do not change. This tages and disadvantages. In describing the policies in this static composition may not be suitable for highly dynamic paper, we will use the syntax and structure of XACML [2], environmentswherethereisaneedtoadaptthepoliciesdy- namically. Ifsuchamechanismisavailable,thenitcanalso 2In which case the set has a single policy and no PCA. serve as an easy tool for the policy composer, if he wishes to change the RCAs and PCAs without recomposing the pectedly, therefore Alex cannot be expected to recompose authorization policies. policies when an emergency has already occurred. In cur- Some researchers have proposed static conflict detection rentsystems,userslikeAlexdonotchangetheirpolicieson andavoidance,arguingthatdetectingandresolvingconflicts such events. Our novel framework enables users to achieve in systems with a large number of policies in real time can this with little effort and provides an important new func- be a daunting task [26]. We argue that, even though it is tionality. a challenging problem, it is a superior approach. Organi- zation policies, regulatory polices, and user policies change 3.2 ProposedModel regularly. If we perform static conflict analysis, whenever In this section, we present a novel mechanism to dynam- one of the policy changes, new conflicts can arise requir- ically determine the policies applicable to an access request ing some party to change their policies. Also, some policies and to evaluate only the applicable policies. In this model, that conflicted before one of the policies changed and were we evaluate the authorization policies in two stages. In the never composed, may now become acceptable. There is no firststage,wedeterminewhichpoliciesareapplicabletothe mechanism to reconsider these rejected policies. Also, the current access request and we also dynamically determine static model does not take into account adding and remov- which PCA will be used to resolve the conflicts in the au- ingspecializedandtimelimitedpoliciestoprovideflexibility thorization decisions. In the second stage, we evaluate only in policy composition and maintenance. the applicable policies using the PCA selected in the first stage. 3.1 MotivatingScenario Duringstageone,thetotalapplicablepolicyset(TAPS)is Let us consider a motivating scenario from the health determinedbyselectingonlythosepolicieswhereatleastone care domain. Alex is a patient who stores his personal oftheauthorizationrulesisapplicabletothecurrentaccess health record (PHR) with his health maintenance organi- request. IfPS ,PS ...PS aretheauthorizationpolicysets, 1 2 n zation(HMO) called Superior Health Care (SHC). At SHC then the TAPS for a particular AR is given as TAPS = the patients’ PHRs are stored in a repository where the ac- (cid:11){PS ,PS ....PS }. 1 2 n cess to the repository is mediated through a proxy. The Thecombinationalgorithm(cid:11)usedis‘all-that-apply’,which proxystoresalltheauthorizationpolicies. Thepoliciesmay isanewrulecombinationalgorithmdefinedinAppendixA. have multiple groups with policies defined by patients like The‘all-that-apply’ algorithmhasbeenimplementedinour Alex himself, the hospital which created the record, SHC’s modifiedXACMLengine(seeSection5). ToevaluateTAPS, organizational policies, federal regulatory policies, and so allavailablepolicysetsareevaluatedasexplainedinDefini- on. When someone tries to access an EMR for a particular tion6. Ifapolicysethasatleastonerulethatappliestothe patient, the system will consult the applicable policies to current access request, we include it in the TAPS. To find check whether this access is allowed. Assume that, in nor- anapplicablerule,weconsiderthesubjectandenvironment mal circumstances, the policy combination algorithm used attributesintheaccessrequest(whichistheset{EA∪SA}) is ‘deny-overrides’, which is a secure and stringent policy. alongwiththeirbooleanrelationships. Wethenmatchthat Suppose that Alex wishes to use a more lenient policy in withtherulesinthepolicyleveltarget. Wetrytofindarule caseofanemergency,wherehewillsharehisPHRwithany with the same set {EA∪SA} with the same relationships accessor who is authorized by at least one of the applicable so that at least one of the attribute combinations matches policies. In this case, he needs to dynamically change his with those in the AR. EA, SA and RA are specified in PCA from ‘deny-overrides’ to ‘permit-overrides’ whenever Definition 1. thereisanemergencyandbackto‘deny-overrides’oncethe To aid in determining applicable policy sets, we create a emergency is over. The traditional method would require meta-policy file called the M-Policy. This file contains one himtochangehispoliciestwicetoachievethis. IfAlexwant rule for each authorization policy set in the system. This to have several dynamic options, he will have to change his ruleisacopyofthepolicyleveltargetruleincludedineach policydescriptioneachtimesuchadynamicchangeoccurs. set. Thisruleisamethod,inalanguagesuchasXACML,to In the proposed model, Alex can define all such dynamic definewhetheraparticularpolicyisapplicabletothegiven conditions as an attribute-based policy and the evaluation access request and it makes the processing faster. Includ- of these policies will determine what PCA will be used for ing it in the M-Policy file has two advantages, namely the the current access request. The model extends this concept processing of the M-Policy file is much faster compared to totheselectionoftheRCAdynamically. Itisdesirablethat evaluating the policy level target rule in each file. These theuserhastheabilitytodefineseveraldynamicconditions rules are optional in XACML. If they are not present, pol- simultaneously, need not change his policy descriptions ev- icy evaluation will take longer. Also, we do not use any erytimeonesuchconditionchanges,andalsoneednotkeep ruleleveltargetsintheXACMLpolicies. Assuch,wecom- trackofthedynamicchanges. Thisisoneofthekeyadvan- pare the best case performance XACML can offer with our tages of using the proposed system. If Alex tries to achieve TAPS algorithm. The ‘all-that-apply’ algorithm makes it the same effect in current policy-based systems with static possibletoevaluatealltargetrulesatthesameplace. Each conflict analysis, when an emergency occurs he will have rule in the M-Policy is evaluated (refer to Definition 6). If to recompose his policy with ‘permit-overrides’ and resolve a rule evaluates to ‘permit’, it means that the target rule all conflicts created in the process. When the emergency representing the respective policy is true and that policy is is over, he will have to recompose his policies with ‘deny- applicable. We then include that policy in the TAPS. overrides’ and resolve all conflicts again. He cannot create To apply the TAPS algorithm to current XACML based a special policy for an emergency, because his two policies systems, we can create an M-Policy file if all the XACML are inherently contradictory. This puts a heavy burden on policies in the target system have a policy level target and the user and also, by definition an emergency comes unex- nooverridingruleleveltarget. Insystemswhereeitherthere arenopolicyleveltargetsoroverridingruleleveltargetsare the prototype. present, an efficient way to implement the TAPS algorithm 4.1 SystemDesign is to broadly categorize the available policies and use these categories to select the applicable policies. Although this The proposed system has a two stage authorization pro- selectionwillneitherbefine-grainednoraccurate,itwillstill cess, where in the first stage the applicable policy set and improve the performance of the evaluation system because the applicable PCA is determined and in the second stage by using TAPS we can filter out non-applicable policies at the applicable policies are evaluated to reach an authoriza- an early stage. So, although the performance will not be tion decision. For the first stage, the policy is created with optimal in this case, it will still be better than the current an index rule for each policy in the TAPS. An index rule is performance. of the form < {SA,RA,EA} : PolicyId >, where PolicyId The next step in stage one is to determine the applica- is the index id of a particular policy. For example, if policy ble PCA (PCAapply) based on a set of environmental at- ‘P1234’ is applicable to requests in an emergency scenario, tributes, which define the specific conditions under which then the index rule will be represented as - each of the PCAs is applicable. These environmental at- <{EMT.EMTLicense=‘valid(cid:48)}:P1234> tributes essentially define the context of the AR. Some of <{CompanyY.Dispatched=‘true(cid:48)}:P1234> theseattributesmightaccompany the AR whileothers can <{EMT.Employer=‘CompanyY(cid:48)}:P1234> be provided by an internal or external system entity. We assume that the dynamic decision of which PCA to select The attribute in the index rule is directly provided by is itself based on a policy. Thus, there is a policy set con- an attribute provider (AP)3. In this example, the three at- taining the rules governing PCA selection. The PCA rules tributesjointlyestablishthattheEMT’slicenseisvalid,he aredefinedsothattheyaremutuallyexclusiveandonlyone works for company Y and company Y was dispatched to of them is applicable in a particular situation. Although the emergency by the 911 operator. These attributes will this might seem complex, it is not really so because there be provided by distinct entities. Using them together can are typically a small number of combination algorithms to establish a complex fact, which cannot be verified by any choose from. This is enforced by using the combination al- singleentityinthewholesystem. Notethatifanindexrule gorithm(cid:11)‘only-one-applicable’ tochooseamongthePCAs. does not contain any attributes i.e. <∗:PolicyId>, then ‘only-one-applicable’ returnstheapplicablePCAifoneand it is true by default and that policy is always included. onlyoneruleevaluatesto‘permit’. Ifzeroormorethanone Foranaccessrequest,theattributespresentintherequest rule(andhencethePCA)evaluatesto‘permit’,thenaner- are compared against the index rules and, in many cases, rorcodeisreturned. Allrulesinthepolicysetareevaluated onlyasmallnumberofpolicieswillbeincludedintheTAPS. and the applicable PCA is selected to be used for resolving Asaresult,thepolicyevaluationstagewillbemuchfasterin conflicts for this access request. thesecases. ThediagraminFigure1describesthedynamic Nowinstagetwo,thefinalauthorizationdecisioniscalcu- authorization process. A similar policy is created with an latedbyevaluatingtheTAPSasE(TAPS)={TAPSPCAapply, index rule for each available PCA. Based on the attributes AR} φ DPS → d. As defined in Definition 7, in this eval- intheindexrules,wedeterminewhichPCAwillbeapplied uation, we consider all policies present in the TAPS and to this particular request. evaluate them against the access request AR. The (cid:11) used inthiscaseisPCA ,whichiscalculatedintheprevious apply step. As an example, using this model, Alex can create a PCA selection rule to the effect that if the E =(‘emergency(cid:48) = A ‘true(cid:48)), then the PCA ‘permit-overrides’ is used. The effect will be to allow access to anyone who can satisfy at least one of the applicable policies. On the other hand, in case where E =(‘emergency(cid:48) =‘false(cid:48)), PCA ‘deny-overrides’ A can be used. This will limit access to holders of those at- tribute combinations that are not denied by any policy and are allowed access by at least one applicable policy. Since thisevaluationisdoneduringeachaccessrequest,thePCA will change dynamically whenever there is an emergency. Inadditiontoprovidingthisnovelfunctionality,ourframe- work proposes the use of TAPS to reduce the policy set to beevaluatedforeachaccessrequest. AsshowninSection6, thisimprovestherealtimesystemperformanceby4-8times. Formulation and evaluation of these rules is explained in more detail in Section 4.1. Figure 1: Block diagram of policy evaluation using the proposed framework. 4. SYSTEM DESIGN AND BACKGROUND MODULES 3An AP is an entity similar to an identity provider. We define an AP as an entity that can certify certain attribute Inthissection,wewillfirstpresentthesystemdesignfora values for an individual due to its special relationship with genericimplementationofthisauthorizationframework,and the individual. For example, an employer can certify an then describe some background modules used for building employee’s role in an organization. 4.2 ApplicationScenario example XACML policy for Alex is shown in Appendix B. To understand the implication of using context informa- An additional benefit of our framework is that SHC can tion in the total applicable policy set (TAPS) evaluation createindexrulesusingattributeslike‘username’5,‘datatype’, and using dynamic PCA selection, let us again consider and ‘data source’ to create index rules to quickly select rel- the previous health care domain scenario. Assume that evant policies when a physician tries to access Alex’s PHR. Alex’s HMO where he stores his PHRs has access policies These relevant policies form the TAPS for this access re- for data based on criteria like data type, membership type, quest. Suppose policy P880 contains Alex’s disclosure poli- etc. Alex’spoliciesalsoapplytohisPHR,asdescribedear- cies,P130containsdatasource’spolicy,P110containsHIPPA lier. Now Alex, who lives in Atlanta is planning a trip to policy, P112 contains the electronic privacy act6, and P21 Florida for a week and he wants his PHR to be accessi- containstheSHC’sdisclosurepolicies. SHC’sindexrulesfor ble to any physician or ‘paramedic in Florida’ during that Alex’s PHR are shown below : week in case he needs medical help. Using our proposed <{‘username=Alex(cid:48)}:P880> model, he can add a special policy saying < {startdate ≤ <{‘datasourceId=814820(cid:48)}:P130> date≤enddate}:P2345>,whereP2345describesthespe- <{‘datatype=PHR(cid:48)}:P110,P112> cial permission to ‘physicians’ in general and ‘paramedics <{∗}:P21> in Florida’. Upon evaluating this index rule, Alex’s au- Note that, in the last index rule, the attribute value is left thorization system will compare the current date with the blank,whichresultsinP21beingincludedeverytime. Using date range in the index rule and will include P2345 during thisefficientevaluationofTAPS,SHCcanquicklydetermine thatparticularweek. Sincetheproposedmodelisattribute the policies that need to be evaluated for an access request based, Alex can take advantage of this by adding multiple to Alex’s PHR. We report some performance results of the attributecombinations. AssumethatAlex’slocationcanbe efficiency of TAPS evaluation in Section 6. trackedfromhismobilephone,whichcommunicatesthatto his authorization system over a secure channel. Then Alex 5. PROTOTYPEIMPLEMENTATION can set the index rule as follows : < {startdate ≤ date ≤ In this section, we describe the prototype implementa- enddate},{location=Florida}:P2345>. tion of the proposed framework. The prototype implemen- This additional attribute will make sure that the lenient PCAischosenonlywhenheisphysicallyinFlorida4. Alex’s tation of the framework extends the functionality of the policy language. The implementation is done using Sun’s mobile phone is used to provide his location, but the PHR open-source XACML engine implementation, where we im- will be primarily be accesses by the paramedics and physi- plemented additional modules and PCAs using Java. The ciansusingtheirsystems. Intheeventthathehastocancel generated policies are written in XACML. We use the Sun his trip, his more lenient policy will not be in effect and XACMLPDPimplementationbecauseitsloadingandeval- his information will not be available to any paramedic in uation times are both reasonable when compared to other Florida. He also has the convenience of setting this rule popular XACML implementations like XACMLLight and once and then forgetting about it, irrespective of whether XACML Enterprise. Its overall performance is much bet- he actually makes the trip or not. ter than XACMLLight and close to XACML Enterprise. A It is important here to note the difference between creat- detailed comparison of the three implementations is done inganewaccessruleinAlex’spolicyvs. creatinganadd-on in [25]. accesspolicy. Whiletheformerispossibleusingthecurrent The authorization policy consists of multiple policy sets. authorizationsystems,itwillrequireAlextomodifyhispol- These sets consist of the system policy, the patient policy, icy by adding new access rules and probably changing the and the data source policy. The system can be extended to rulecombinationalgorithm. Theeffectsofdoingboththese consider the data accessor’s policy to ensure that the obli- actions is hard for an average user to comprehend. If Alex gations associated with the access request will be honored. hassethisRCAas‘deny-overrides’andhewantstoaddhis The authorization module is set up as shown in Figure 2. new rules to permit access during that particular week, he The ‘Policy Load and Evaluation’ and ‘Ancillary’ modules will need to either change the RCA to ‘permit-overrides’ or are part of the standard XACML engine and the ‘PSS’ and change each of the deny rules in the policy. Doing either ‘PCASelector’(explainedlaterinthissection)areaddedto is not desirable because his deny rules will be bypassed. In the XACML engine. To make the proposed model closely theproposedsystem,Alexcanaddapolicytothepolicyset compliant with the existing XACML engine, we have mod- defining his access policies andchange the PCAto‘permit- eled the two new sub-modules as XACML policy sets, so overrides’ for the specified period. Doing so will still keep that the XACML policy engine can be used to do these all of Alex’s deny rules unmodified and his policy set will evaluations as well. allow access when at least one of his policies allow access, Policy Set Selector (PSS)-ThePSStakestheautho- which is what he intended to do. This is hard to do in cur- rizationpolicyastheinput,whichcontainsalltheavailable rentsystems,becausePCAcannotbechangedaccordingto policysets. TheschemaoftheTAPSasapolicyfileisshown dynamicrequirements. Theresultingpolicysetisalsomore inFigure3. ItisorganizedintheSubject,Resource,Action modular and analyzing such a policy set is easier. Finally, and Environment structure. The PSS evaluates each policy itsavestheeffortandcomplexityofanalyzingtheeffectsof set to find out all the sets that are applicable to this access changing the RCA or policy rules, not to mention restoring request. ThePCAusedhereis‘all-that-apply’,whichises- the original state once the specified time has passed. An 5ThesystemcanuseanypseudonymtolinkAlex’sPHRto 4WeassumethatAlexalwayscarrieshismobilephonewith his policies. him because in essence the service is tracking a device and 6The assumption here is that the rules in these acts can be not Alex himself. encoded in a high level language like EPAL or XACML. definingthe selectedPCAwithnoattributes (hencealways applicable) and defining all the other PCAs with attributes thatarenevertrue. Althoughsuchaconfigurationmaynot providesomeofthekeybenefitsoftheproposedframework, it may sometimes be required for backward compatibility. ThePCAselectorfileisapolicysetasshowninFigure4. AllthePCAsaredescribedascontainedpolicysetsandthe combination algorithm used is ‘only-one-applicable’, which is a standard XACML PCA. It returns ‘permit’ if one of the policy sets is applicable and ‘deny’ if zero or more than one policy set are applicable. In case the result is ‘permit’, theapplicablepolicysetreturnsthenameofthePCAtobe used in combining policies. This module provides the novel functionalityofselectingthePCAdynamicallyasdescribed in Section 3.2. Figure 2: Modified XACML policy engine. peciallydevelopedforthePSS.ThefunctionofthisPCAis toevaluateallthepolicysetsandoutputallthatapply. All thepolicysetsselectedbythePSSarestoredinadatastruc- ture and only those policy sets are considered in the evalu- ation phase. As mentioned earlier, this reduces the number of policies to be evaluated for an access request and results in considerable run time performance improvement. A de- tailed discussion of the performance improvement is given in Section 6. Figure 4: PCA selector module as a XACML policy set. To continue with the example in Section 3, the PCA se- lection policy set will be set as shown in Figure 4. Initially, when there is no emergency, the PCA ‘deny-overrides’ will be selected. This will be indicated by the attribute ‘emer- gency’ being set to false. When there is an emergency, the attributeissettotrueandthePCAevaluationwillgivethe output as ‘permit-overrides’. The output PCA again be- comes ‘deny-overrides’ once the emergency is over and the corresponding attribute is set to false. Figure 3: Policy set selector module as a XACML This attribute can be provided by a number of entities policy set. like the ‘emergency operations center’, the ‘911 operations center’, the patient himself or any other entity that the pa- PCA Selector - The PCA selector reads the PCA se- tient’s agent trusts to provide this attribute. Although it lection file, which is described as a XACML policy. This sometimes might be difficult to ascertain that this particu- description is created by the entity that is responsible for lar patient is involved in an emergency, the patient would makingsurethatalltherelevantpoliciesaretakenintocon- give more priority to making his PHR available to medical sideration. This entity should make sure that the all the personnelinanemergencyratherthantohisprivacy. Since available PCAs are encoded as individual policies as shown theentiresystemcanbeaudited,anybreachofprivacycan in Figure 4. This system can be used as a static system by be discovered on audit. 6. PERFORMANCEEVALUATION in each step. We also vary the number of index rules ap- Inthissection,wewilldiscusstheperformanceevaluation plicable to each policy to 1,2,4, and 8 in different runs of of the various components of the proposed framework. We the experiment. The result is shown in Figure 5. We ob- are basically measuring the following parameters: 1) over- serve that the evaluations take almost linear time as shown head in evaluating the total applicable policy set (TAPS), in this semi-log graph. The evaluation time is within 2 sec- 2) overhead in dynamic selection of the PCA, and 3) time ondsevenwith1,000policieswith8ruleseach,whereaswith saved in evaluating just the TAPS (and evaluating applica- 100 policies with 8 rules each the evaluation time is within ble policies) compared to performing a target match on all 250 milli-seconds. the available policies (and evaluating applicable policies). Tomeasuretheseparameters, we evaluate thefollowing- 1)TAPSevaluationtimevs. totalnumberofavailablepoli- cies , 2) PCA evaluation time vs. number of attributes in each index rule, 3) evaluation time vs. number of policies (with and without TAPS). Reasons for choosing these pa- rameters and the evaluation results are discussed in detail in Section 6.2. 6.1 EvaluationSetup Intheevaluationsetup,wecreateXACMLpoliciesforthe modules described in Section 5. For evaluating the TAPS, we use the schema shown in Figure 3. We setup a XACML policy file with one index rule representing each available policy file (or policy set). Each index rule contains two at- tributes, both of which are required for access. There are 16attributesintotalandweselect2outofthemrandomly. Figure 5: Evaluation time vs. number of available Fortheexperiments,weuse1,2,4and8indexrulesforeach policies. policy file in each run of the experiment. We also vary the totalnumberofavailablepoliciesfrom1to10,000increasing the number of policies by an order of magnitude each time. 6.2.2 Case2 Mostoftherealworldpoliciesuse10-20userattributescom- In this case, we evaluate the applicable PCA from a list ing from the organizations LDAP server [22], [3], hence we of PCAs supported by the system. In our prototype sys- feel 16 is a representative number. Moreover, this is a con- tem,wehavesevenPCAs,eachdenotedasapolicysetwith figuration parameter and not a limitation because it can its own index rule. We increase the number of attributes be scaled easily. We also scale the number of attributes in used in each index rule to understand the effect of scaling one of the experiments (as described in this Section 6.2.2). the attributes on performance. We increase the number of We believe that most of the real world systems use much attributes from 2 to 10,000. The run time performance is less than 10,000 policies. We evaluate performance up to showninFigure6. Weobservethatevenwith100attributes 10,000 policies to observe the system performance over a per index rule, the total evaluation time is under 280 milli- broad range. seconds. For selecting the PCA, we use the schema shown in Fig- ure4. SincewehaveafixednumberofPCA’sinthesystem, we use this evaluation to scale up the number of attributes from 2 to 10,000 in each index rule. This evaluation gives usanestimateoftheevaluationtimeinasystemwithlarge number of attributes. Forevaluatingtheactualpolicies,wehavecreatedpolicies with1,2,4and8rulesperpolicytobeusedindifferentruns of the experiment. We created sets of 10, 100, 1,000, and 10,000 policies. All experiments were run on a single 2.4GHz Intel Dual Core Pentium machine with 2 GB of physical memory. 6.2 EvaluationResults Inthissubsection,wepresenttheperformanceresultsfor the different cases just described. 6.2.1 Case1 Figure 6: Evaluation vs. number of attributes per Inthiscase,weevaluatethetimeconsumedinevaluating index rule. the TAPS with varying number of total available policies. The RCA used is ‘all-that-apply’, so the evaluation consid- 6.2.3 Case3 ersallthepoliciesthatapplytoaparticularaccessrequest. We change the number of policies from 1 to 10,000 by in- Inthiscase,weevaluatethesamesetofpolicieswithand creasing the number of policies by an order of magnitude without the PSS module and compare the performance of the two systems. The setup is described in Section 6.1. In each policy file, we have a policy target set up, which is thedefaultmethodXACMLusestocheckwhetherthecur- rent policy (file) is applicable to the current request. This targetcanbesetupbyresources,subjects,actions,orenvi- ronments. We set up these targets with applicable subjects values. This allows us to make a direct comparison with our experimental setup. Also, this does not limit the use of target in the experiments conceptually or physically7. We first run the test with all the files and let XACML engine perform target matches with all the available policies and evaluate policies where the target matches. Figure 7 shows the result of this evaluation with about 1% of the policies being evaluated. Forcomparisonwithourproposedsystem,weruntheex- perimentwiththesamepolicysetwiththePSSmodulein- Figure 7: Evaluation time vs. number of total avail- cluded. WeevaluatetheTAPSusingtheindexrulemethod able policies (conventional XACML). foralltheavailablepoliciesandforcetheTAPStobe1%of thetotalavailablepolicies. TheresultingTAPSisstoredin an array and the XACML engine then performs evaluation of all the files in this array. The combined time for deter- miningtheTAPSandevaluatingitisshowninFigure8. We include 1 percent of the total policies in the TAPS, which we believe is more than what most access requests would require, especially in systems with large number of policies. Wechosethispercentagesothatwehaveaviewoftheworst casesystemperformanceandexpectthatmostrealsystems will have fewer policies to evaluate per access request and the evaluation times will be lower that what is observed in Figure 8. Comparing the results in Figure 7 and Figure 8, we ob- serve that using TAPS evaluation with the index rules and then evaluating the applicable policies is about 4-8 times faster than the conventional method. This is specially im- portant in large systems with a lot of policies. Considering Figure 8: Evaluation time vs. number of total avail- theworstcasescenario(10,000policies,8rules/policy),the able policies (our proposed framework). conventional evaluation takes about 210 seconds compared to 26 seconds on our system. In a more common scenario (100 policies, 8 rules/policy), the evaluation times are 1.8 Inthissection,wereviewrelatedworkintheareaofcon- seconds and 0.5 seconds respectively. We argue that this flictdetection,avoidanceandresolutionworksandcompare performance improvement is not only significant, but criti- them to our proposed framework. cal for real time systems. 7.1 Conflictresolution 6.2.4 Case4 Mazzoleni, et. al, presented a system for integrating au- Inthiscase,wefixthetotalnumberofavailablepoliciesto thorizationpoliciesfordifferentpartnersorganizations[20]. 1000andchangethepercentageofapplicablepoliciestoeach Their core idea is to find the similarity between a set of access request. We perform this experiment with 15access policies and to use that information to transform the set of request. Werepeatthisexperimentfor1,2,4and8rulesper policiesintoasingletransformedpolicywhichappliestothe policywithandwithoutthePSSsystemandcomparetheir request. In their case, the PCA are static there is no way performance. The results are shown in Figure 9 and Fig- to choose policies dynamically, whereas in our framework ure 10. We observe that in our proposed model the system we can choose the PCA dynamically. Our framework also evaluation time starts from a very low value and increases allows multiple policies for the same resource, one of which linearly. On the other hand in existing systems, it starts at can be chosen at run time. near maximum value and remains almost constant. Anotherideaforpolicyconflictresolutioninactivedatabases was proposed by Chomicki et. al, in [10]. Their system is based on the Event-condition-action paradigm in which 7. RELATEDWORK policies are formulated using ECA rules. A policy gener- ates a conflict when its output contains a set of actions 7Using target in the policy file is optional in XACML. If thatthepolicyadministratorhasspecifiedcannotoccurto- no target is used, the only way to check the applicability of gether. This work is specific to dynamically resolving con- the policy is to evaluate it and see if it applies to the cur- rent request. This will be slower than matching the target flicts among actions in a system, whereas our focus is more andhencewebelievethatourcomparisonisfairbecausewe onagenericpolicy-basedsystemtoprotecttheresources. In compare our results with the faster version. ourframework,thepolicycomposersneednothaveanyidea conflict with the system policies. In our framework, the users can specify their preferences even if they have con- flictswiththeotherpolicies. Theuserspoliciesmayoverride otherpolicesorbeoverriddenbasedoncontextinformation. Agrawal’sframeworkalsodoesnotconsiderchangingsystem and regulatory policies that may create more conflicts with accepted user policies. Also, it may result in removal of conflicts between the new system policy and previously re- jected user policies, which is not handled in this system. In our framework, this will be naturally handled without any action on anyone’s part to resolve the conflict. 7.3 HybridApproach Bertino,et. al,presentedanapproachwhichisahybridof conflict avoidance and conflict resolution [9]. In this work, Figure 9: Evaluation time vs. number of total avail- the authors propose a scheme for supporting multiple ac- able policies (conventional XACML). cesscontrolpoliciesindatabasesystems. Herepoliciesmay have ‘strong’ authorization which are without conflicts or ‘weak’ authorization with possible conflicts. Compared to thisframework,webelievethatourapproachismoregeneric becauseitallowsconflictingpoliciestobecomposedandre- solves conflicts based based on context information. To im- plement Bertino’s proposed system, there should be some static hierarchy (or first specified rule overrides others) for conflictavoidanceamongstrongauthorizations. Incontrast, ourframeworkwillallowdynamicoverridingamongtheau- thorities. Anotherapproachtoresolvingpolicyconflictsinahybrid manner is proposed by Jin, et al. [14]. In their work they mention that although resolving conflicts using the static method is easier, it may not be feasible in large systems with large number of policies. The main difference with our framework is that the combination algorithms in their model are defined statically, whereas in our case we decide Figure10: Evaluationtimevs. numberoftotalavail- the combination algorithm at run time based on context able policies (our proposed framework). information. Also, our framework enables the user to add (remove) PCAs or policies dynamically, an aspect not con- sidered in [14]. ofthepossibleconflictsinthesystem,whereasinChomicki the system administrator specifically defines conflicting ac- 8. CONCLUSION tions. Moreover, in our system there can be a number of authoritieswhocancomposethepoliciesanditisnotpossi- Inthispaper,wediscussedpolicy-basedauthorizationsys- ble for any one authority to have an idea of all the possible tems and attribute-based systems. We focus on the multi- conflicts in advance. authoritycase,wheremultiplepoliciesareusedtoauthorize a single access request. In particular, we expose the prob- 7.2 Conflictavoidance lemsinchoosingthePCAsaheadoftimei.e. duringthepol- One approach to avoid conflicts in authorization rules is icydescription. WepresentaframeworktochoosethePCA presented by Yu et. al, in [26]. They argue that a large dynamically during run time based on dynamic attributes. number of rules may apply to a service and detecting and Theframeworkalsosupportschoosingtheapplicablepolicy resolvingconflictsinrealtimecanbeadauntingtask. Their sets based on dynamic attributes. This increases the policy system is completely static and assumes that is it always evaluationefficiencyofthesystemandmodularizesthepoli- possibletodetermineprioritiesaheadoftimeandavoidcon- ciesenhancingtheiranalyzability. Usingdynamicattributes flicts. Wearguethatthisisnotpossibleindynamicenviron- to determine applicable policy sets at run time provides a mentsandisbasedonmultiplefactorslikethecontextofthe novel method to add and remove specialized policies dy- access request, authorities defining the policies, mandatory namically. We implemented and evaluated a prototype of policies (like regulatory) vs. optional policies, and environ- the authorization system as a module of a modified version mental factors. of Sun’s XACML engine. Another approach for avoiding conflicts in policy specifi- cation is proposed by Agrawal, et. al, for defining autho- 9. REFERENCES rizationpoliciesforhippocraticdatabases[5]and[6]. Their [1] Enterprise Privacy Authorization Language (EPAL). systemallowssystemadministratorstospecifysystempoli- http://www.w3.org/Submission/2003/SUBM-EPAL- ciesforadministrationandregulatorycomplianceandthese 20031110/. policieshavethehighestpriority. Usersareallowedtospec- [2] eXtensible Access Control Markup Language ify their privacy preference as long as their policies do not (XACML). www.oasis-open.org/committees/xacml/.