This Article 
 Bibliographic References 
 Add to: 
Runtime Administration of an RBAC Profile for XACML
October-December 2011 (vol. 4 no. 4)
pp. 286-299
Min Xu, George Mason University, Fairfax
Duminda Wijesekera, George Mason University, Fairfax
Xinwen Zhang, Samsung Information Systems America, San Jose
The eXtensible Access Control Markup Language (XACML) is the de facto language to specify access control policies for web services. XACML has an RBAC profile (XACML-RBAC) to support role-based access control policies. We extend this profile with an administrative RBAC profile, which we refer to as the XACML-ARBAC profile. One of the advantages of doing so is to use policies based on RBAC model to administrate XACML-RBAC policies. Because using permissions granted by XACML-ARBAC policies alter XACML-RBAC policies, enforcing XACML-ARBAC polices requires some concurrency control within XACML access controller's runtime. In order to solve this concurrency problem, we propose a session-aware administrative model for RBAC, and enhance the XACML policy evaluation runtime using a locking mechanism. Experimental study shows reconcilable performance characteristics of our enhancements to Sun's XACML reference implementation.

[1] Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML v2.0, OASIS Standard, , 2005.
[2] Information Technology - Open Systems Interconnection - The Directory: Public-Key and Attribute Certificate Frameworks, ISO 9594-8/ITU-T Recommendation X. 509, 2011.
[3] OASIS XACML Technical Committee, Core Specification: eXtensible Access Control Markup Language (XACML), 2005.
[4] OASIS XACML v3.0 Administration and Delegation Profile Version 1.0, http:/, 2009.
[5] Java 2 Platform Standard Edition 5.0,,5.0/ docsapi, 2011.
[6] "Sun's XACML Implementation," http:/sunxacml.sourceforge. net, 2006.
[7] World Wide Web (W3C) Consortium, http:/, 2011.
[8] "Database Transaction," Database_ transaction , 2011.
[9] J. Barkley, A. Cincotta, D. Ferraiolo, S. Gavrila, and D.R. Kuhn, "Role Based Access Control for the World Wide Web," Proc. 20th Nat'l Information System Security Conf., 1997.
[10] D.E. Bell and L.J. LaPadula, "Secure Computer Systems: Mathematical Foundations and Model," Technical Report No. M74-244, Mitre Corporation, 1975.
[11] E. Bertino, A. Squicciarini, I. Paloscia, and L. Martino, "Ws-AC: A Fine Grained Access Control System for Web Services," World Wide Web: Internet and Web Information Systems, vol. 9, no. 2, pp. 143-171, 2006.
[12] D.W. Chadwick and A. Otenko, "The PERMIS X.509 Role Based Privilege Management Infrastructure," Proc. Seventh ACM Symp. Access Control Models and Technologies (SACMAT '02), pp. 135-140, June 2002.
[13] D.W. Chadwick, A. Otenko, and E. Ball, "Implementing Role Based Access Controls Using X.509 Attribute Certificates," Proc. IEEE Internet Computing Conf., pp. 62-69, Mar. 2003.
[14] D.W. Chadwick, S. Otenko, and T.A. Nguyen, "Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains," Comm. and Multimedia Security, pp. 67-86, Springer, Oct. 2006.
[15] J. Crampton, "Understanding and Developing Role-Based Administrative Models," Proc. 12th ACM Conf. Computer and Comm. Security (CCS '05), pp. 158-167, 2005.
[16] J. Crampton and L. Chen, "Implementing RBAC and ABRA Using XACML," submitted for publication, 2007.
[17] J. Crampton, "Administrative Scope and Role Hierarchy Operations," Proc. Seventh ACM Symp. Access Control Models and Technologies (SACMAT '02), pp. 145-154, June 2002.
[18] J. Crampton and G. Loizou, "Administrative Scope: A Foundation for Role-Based Administrative Models," ACM Trans. Information and Systems Security, vol. 6, no. 2, pp. 201-231, 2003.
[19] E. Damiania, S. De Capitani di Vimeracti, X. Paraboschi, and P. Samrarti, "Fine Grained Access Control for SOAP e-Services," Proc. 10th Int'l Conf. World Wide Web (WWW '01), pp. 504-513, 2001.
[20] D.F. Ferraiolo, J. Barkley, and D.R. Kuhn, "A Role Based Access Control Model and Reference Implementation within a Corporate Intranet," ACM Trans. Information and System Security, vol. 1, no. 2, pp. 34-64, 1999.
[21] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D. Richard Kuhn, and R. Chandramouli, "Proposed NIST Standard for Role-Based Access Control," ACM Trans. Information and System Security, vol. 4, no. 3, pp. 224-274, 2001.
[22] S. Gavrila and J. Barkley, "Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management," Proc. Third ACM Workshop Role Based Access Control, pp. 81-90, 1998.
[23] M. Haustein and T. Härder, "taDOM: A Tailored Synchronization Concept with Tunable Lock Granularity for the DOM API," Proc. Conf. Administrative Data Base Information System, pp. 88-102, 2003.
[24] M. Haustein and T. Härder, "Optimizing Lock Protocols for Native XML Processing," Data and Knowledge Eng., vol. 65, no. 1, pp. 147-173, 2008.
[25] M. Haustein, T. Härder, and K. Luttenberger, "Contest of XML Lock Protocols," Proc. 32nd Int'l Conf. Very Large Data Bases (VLDB '06), pp. 1069-1080, 2006.
[26] M. Harrison, W. Ruzzo, and J. Ullman, "Protection in Operating Systems," Comm. ACM, vol. 19, no. 8, pp. 461-471, 1976.
[27] H. Janicke, A. Cau, F. Siewe, and H. Zedan, "Concurrent Enforcement of Usage Control Polices," Proc. IEEE Workshop Policies for Distributed Systems and Networks (POLICY '08), pp. 111-118, July 2008.
[28] H. Korth and A. Silberschatz, Database System Concepts. McGraw-Hill, 1991.
[29] D. Lea, Concurrent Programming in Java Design Principles and Patterns. Addison-Wesley, 2000.
[30] N. Li and Z. Mao, "Administration in Role Based Access Control," Proc. ACM Symp. Information, Computer and Comm. Security (ASIACCS '07), pp. 127-138, Mar. 2007.
[31] S. OH, R. Sandhu, and X. Zhang, "An Effective Role Administration Model Using Organization Structure," ACM Trans. Information and Systems Security, vol. 9, no. 2, pp. 113-137, 2006.
[32] J. Park and R. Sandhu, "The ${\rm UCON}_{\rm abc}$ Usage Control Model," ACM Trans. Information and Systems Security, vol. 7, no. 1, pp. 128-174, Feb. 2004.
[33] R. Sandhu, V. Bhamidipati, and Q. Munawer, "The ARBAC97 Model for Role-Based Administration of Roles," ACM Trans. Information and Systems Security, vol. 2, pp. 105-135, 1999.
[34] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role Based Access Control Models," Computer, vol. 29, no. 2, pp. 38-47, 1996.
[35] L. Seitz, E. Rissanen, T. Sandholm, B. Sadighi, and O. Mulmo, "Policy Administration Control and Delegation Using XACML and Delegent," Proc. Sixth IEEE/ACM Int'l Workshop Grid Computing, pp. 49-54, 2005.
[36] J.M. Spivey, The Z Notation: A Reference Manual, second ed., Prentice Hall Int'l Series in Computer Science, 1992.
[37] R. Wonohoesodo and Z. Tari, "A Role Based Access Control for Web Services," Proc. IEEE Int'l Conf. Service Computing (SCC '04), pp. 49-56, 2004.
[38] E. Yuan and J. Tong, "Attributed Based Access Control (ABAC) for Web Services," Proc. IEEE Int'l Conf. Web Services (ICWS '05), pp. 561-569, 2005.
[39] M. Xu, D. Wijesekera, X. Zhang, and D. Corray, "Towards Session-Aware RBAC Administration and Enforcement with XACML," Proc. IEEE Symp. Policies for Distributed Systems and Networks, pp. 9-16, July 2009.

Index Terms:
RBAC, ARBAC, XACML, concurrency control, security.
Min Xu, Duminda Wijesekera, Xinwen Zhang, "Runtime Administration of an RBAC Profile for XACML," IEEE Transactions on Services Computing, vol. 4, no. 4, pp. 286-299, Oct.-Dec. 2011, doi:10.1109/TSC.2010.27
Usage of this product signifies your acceptance of the Terms of Use.