Issue No. 04 - October-December (2011 vol. 4)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TSC.2010.27
Min Xu , George Mason University, Fairfax
Duminda Wijesekera , George Mason University, Fairfax
Xinwen Zhang , Samsung Information Systems America, San Jose
The eXtensible Access Control Markup Language (XACML) is the de facto language to specify access control policies for web services. XACML has an RBAC profile (XACML-RBAC) to support role-based access control policies. We extend this profile with an administrative RBAC profile, which we refer to as the XACML-ARBAC profile. One of the advantages of doing so is to use policies based on RBAC model to administrate XACML-RBAC policies. Because using permissions granted by XACML-ARBAC policies alter XACML-RBAC policies, enforcing XACML-ARBAC polices requires some concurrency control within XACML access controller's runtime. In order to solve this concurrency problem, we propose a session-aware administrative model for RBAC, and enhance the XACML policy evaluation runtime using a locking mechanism. Experimental study shows reconcilable performance characteristics of our enhancements to Sun's XACML reference implementation.
RBAC, ARBAC, XACML, concurrency control, security.
X. Zhang, M. Xu and D. Wijesekera, "Runtime Administration of an RBAC Profile for XACML," in IEEE Transactions on Services Computing, vol. 4, no. , pp. 286-299, 2010.