XML Access Control
From XACL to XACML...
Since the XACL technology was made public in the Fall of 2000, we have regularly updated the XACL specification so far. And now, the OASIS (Organization for the Advancement of Structured Information Standards) created the XACML (eXtensible Access Control Markup Language) technical committee in April 2001 and the XACL authors have been involved in that standardization.
The next release will provide an XACML standard-based implementation. Stay tuned, folks!
XACL
XML Access Control aims at providing XML documents with a sophisticated access
control model and access control specification language. With this access control technology,
the access control policies control how an XML document appears. The policies also insure the document is securely updated
as specified by the security programmer.
Suppose there is an online catalog document written in XML that
lists available goods sold on the Internet. Consider an access control
policy such that only premium members can view the special discount price
information in the document. When a regular member views the catalog, any
information provided for the premium members should be hidden. XML access
control is capable of specifying such fine-grained access control policies for
XML documents.
XML Access Control Language
XML Access Control Language (XACL) is an access control policy specification
language that is a primary component of XML Access Control technology.
Similar to existing policy languages, XACL is a language oriented around
triplets of object, subject, and action. The subject primitive allows user IDs,
groups and/or role names. The granularity of object reference is as fine as
a single element within an XML document. The action primitive consists of four kinds
of actions: read, write, create, and delete. Moreover, XACL provides the notion
of provisional actions that means provisions attached to the access decision.
Suppose a log provisional action is specified in the access control rule
of "Alice is allowed to read the salary field". This basically means,
"Alice is allowed to read the salary field, provided the access is
logged." The provisional authorization model
provides more flexibility in
specifying access control policies than is possible with traditional
object-subject-action based semantics. The XML Access Control package includes three simple
examples and four sample applications in order to show the expressiveness of
the XACL access control language.
Figure 1 shows the architecture of the provisional authorization model. We have two main modules: an access evaluation module and a request execution module. Given an access request to execute an action for a target XML document, an associated policy is enforced as follows:
Step 1: An
initiator submits an
access request including a
target node (i.e., an element or an attribute in the
target XML document), a subject (i.e., the initiator's identity and its
roles), and an
action (read, write, create, or delete). When the initiator desires to play a role in a transaction, it will be assigned by some role assignment mechanism, which is out of scope of XACL.
Step 2: The access request is evaluated according to the
policy (written in XACL) and the
status associated with the target XML document in the
access evaluation module, which is allowed to access not only the policies but also the entire target document. The
access decision includes not only a one-bit answer ("grant" or "deny") but also any
provisional actions.
Step 3: The request is executed in the
request execution module, where both the requested action and provisional actions specified in the access decision are executed. The target document is updated when the requested action is "write", "create" or "delete". The associated status may be updated.
Figure 1. Authorization Architecture
- Guide to install and use this package
NOTE:
- Examples with namespace:
- Examples with group and role hierarchies:
See
Example 2 for exaxmples in which the propagation along group and role hierarchies.
Our idea is described in the following papers in more detail.
- M. Kudo and S. Hada, "XML Document Security based on Provisional Authorization,"
7th ACM Conference on Computer and Communication Security (CCS 2000), Nov. 2000.
- M. Kudo and S. Hada, "Access Control Model with Provisional Actions,"
IEICE Trans. Fundamentals, Vol. E84-A, No. 1, 2001.
- S. Jajodia, M. Kudo, and V. S. Subrahmanian, "Provisional Authorization,"
Workshop on Security and Privacy in E-Commerce (WSPEC), Nov. 2000.
- FAQ about XACL and the Visual Test Tool
- Tips for better using our XACL implementation.
See also Changes in the XACL language specification
- 2002.04.19
- 1. Extended propagation processing (The syntax of the property element is updated).
- 2. Supported the subject hierarchy.
- 3. Corrected Schema errors (The four schemas were merged into a single schema).
- 2001.08.30
- 1. Moved to Xalan 2.
- 2. Attribute-wise access control is supported. Added an example for this.
- 3. Changed the API's. In particular, the "process" method of "Processor" simply returns a decision list, but no view document. Instead, the input target document is transformed into the view.
- 2001.04.16
- Added two sample applications, digital signature and method space.
- 2001.04.03
- 1. Updated the XACL specification. In particular, the XML schema is used to define the data structure instead of the DTD.
- 2. Changed a few classes. The AccessRequestHander class is replaced by the AccessRequest class. The GroupMembership interface was removed. Instead, the format of the access request is modified so that one can specify groups in access requests.
- 2001.01.18
- Cleaned up the API documents for XACL.
- Renamed packages and classes.
- 2000.10.16
- First release
Last modified: April 22, 2002
![[XML Security Suite]](xmlsec.gif)