Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University.

Published byAlan Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University."— Presentation transcript:

1 A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University D. Kaminsky IBM, Research Triangle Park D. Agrawal IBM, T. J. Watson

2 Nov 2005DRMTICS2005 Sydney Australia 2 Contents Motivation Background Autonomic Cycle for Protection of Access Rights Application Domain (digital library) Access Management Architecture Comparison of XACML and CIM –Information Model –Computational Model –Linkage Model Conclusion

3 Nov 2005DRMTICS2005 Sydney Australia 3 Motivation Policy-based models ease the management of access rights for Digital Information. Many policy specifications exist (XrML, ODRL) and many more are emerging (XACML, CIM based ACPL, etc.) A categorical or structured analysis of emerging specifications is necessary to choose the appropriate specification.

4 Nov 2005DRMTICS2005 Sydney Australia 4 Background CIM and XACML XACML specification uses XML schemas for access- control policies, requests, and decisions CIM Policy Model uses Meta-Object Facility and Unified Modeling Language –Used CIM derived ACPL for comparison The XACML and CIM models provide generic vocabulary to address DRM issues, such as –user privacy –fair use –fee and non-fee based access

5 Nov 2005DRMTICS2005 Sydney Australia 5 Background Comparison Axes Information model: How the abstract data model is specified as syntactical elements in the language. –Provides insight into how its supports various access rights requirements for self protection. Computational model: Computational complexity of evaluating an access request against an access policy to guarantee an access decision. –Provides insight into the kinds of rules for which these models provide low latency access evaluation. Linkage model: How these specifications interact with the environment, namely, the restrictions they place on the input (access request) and the output (access decision). –provides insight into the adaptability of these languages and models for various application domains.

6 Nov 2005DRMTICS2005 Sydney Australia 6 Autonomic Cycle for Protection of Access Right 1.Receive user attributes 2.Fetch all resource names 3.Compose requests from user attributes and resource names 1.Receive request contexts 2.Evaluate decision based on knowledge base 1.Receive access decisions 2.Perform provisional actions 3.Sequence the execution of access decisions 1.Prepare User Interface or response 2.Serve the response to the user [Knowledge Base] Policy Monitor AnalyzePlan Execute

7 Nov 2005DRMTICS2005 Sydney Australia 7 Application Domain (Federated Digital Library) 1.User request’s resource protected by Shibboleth 2.Target and User’s home organization authenticate each other and the home organization provides user attributes 3.End-User gains access to resource based on access control specifications provided in the policy (XACML/ACPL) Contributors Aggregator Shibboleth Target Federated DL & Harvester Policy Enforcement Point PDP Policy Editor Reg. Shibboleth Origin (CMU) [Admin classifies users into groups] Shibboleth Origin (ODU) Shibboleth Origin (TWRC) [ODU Users, CMU Users, TWRC Users] End-Users xArchiveCERNAPS a.Contributor registers with Federated Digital Library b.Contributor manages access policies for user access to its documents c.Provides policy in XACML/ACPL compliant format to the Policy Decision Point 1. 2.2. 3. a.a. b.b. c.c. SUBSCRIBERSSUBSCRIBERS

8 Nov 2005DRMTICS2005 Sydney Australia 8 Comparison of XACML and CIM (Information Model) faculty odu author description references Read XACML 1.Uses vocabulary from the access control domain 2.Multiple requests are required to gather compendium of access privileges (one for each resource) 3.Number of requests required increases based on the number of operations (read, distribute, etc) that can be performed.

9 Nov 2005DRMTICS2005 Sydney Australia 9 Comparison of XACML and CIM (Information Model) faculty odu read ACPL 1.Does not used vocabulary from the access control domain, as it is a more generic rule language. 2.A single request is sufficient irrespective of the number of resources. 3.The number of requests required do not change even if the number of permitted operations increases

10 Nov 2005DRMTICS2005 Sydney Australia 10 Comparison of XACML and CIM (Computational Model) … … Boolean Expressions in XACML Simple Boolean Expression in CNF or DNF Un-Conditional Boolean Expression Most commonly used condition is isolated and optimized.

11 Nov 2005DRMTICS2005 Sydney Australia 11 Comparison of XACML and CIM (Computational Model) … … Boolean Expressions in ACPL Un-Conditional Boolean Expression Does not have optimization for any specific kind of Boolean expressions

12 Nov 2005DRMTICS2005 Sydney Australia 12 Comparison of XACML and CIM (Computational Model) … … Conflict resolution in XACML Conflict resolution is more catered towards access rights and uses vocabulary from access control

13 Nov 2005DRMTICS2005 Sydney Australia 13 Comparison of XACML and CIM (Computational Model) … … Conflict resolution in ACPL Conflict resolution is accomplished using a simple prioritization.

14 Nov 2005DRMTICS2005 Sydney Australia 14 Comparison of XACML and CIM (Linkage Model) XACML, in addition to specifying syntax for policies, also specifies syntax for decision requests and decision responses. –The monitoring phase composes XACML compliant requests from user attributes that arrive as HTTP request parameters and delivers them to the analysis phase for evaluation –The PDP at the analysis phase provides the planning phase with XACML compliant responses, which need interpretation. –The existence of a standard, however, fosters interoperability. CIM model does not prescribe a format for requests and responses. –The absence of a specification for input formats, and the provision for multiple input formats by the CIM implementation eased the task of request and response processing. –However, generally, the lack of standard may hinder interoperability.

15 Nov 2005DRMTICS2005 Sydney Australia 15 Conclusion XACML –Plus capability to represent provisional actions XML schema ensure interoperability lower latency access evaluation – optimized Boolean evaluation Allows specification of resources as XPath artifacts –Minus lack of access to resource hierarchies and delegation CIM –Plus ability to represent complex actions requires fewer policies need be managed efficient mechanism when simple conditions need to be evaluated to obtain permissions on multiple resources. –Minus lack of standards-based XML schema lack of access to resource hierarchies and delegation

Download ppt "A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University."

Similar presentations

Contextual Linking Architecture Christophe Blanchi June 20 2006 Corporation for National Research Initiatives Approved for.

Contextual Linking Architecture Christophe Blanchi June Corporation for National Research Initiatives Approved for.
Modelling with expert systems. Expert systems Modelling with expert systems Coaching modelling with expert systems Advantages and limitations of modelling.

Modelling with expert systems. Expert systems Modelling with expert systems Coaching modelling with expert systems Advantages and limitations of modelling.
Operating System Security

Operating System Security
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
An authorization control framework to enable service composition Takashi Suzuki, Randy H. Katz EECS Department University of California, Berkeley {tsuzuki,

An authorization control framework to enable service composition Takashi Suzuki, Randy H. Katz EECS Department University of California, Berkeley {tsuzuki,
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
ReQuest (Validating Semantic Searches) Norman Piedade de Noronha 16 th July, 2004.

ReQuest (Validating Semantic Searches) Norman Piedade de Noronha 16 th July, 2004.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.

System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google