Skip to main content
Springer Nature Link
Log in

The OPL Access Control Policy Language

  • Conference paper
Trust, Privacy and Security in Digital Business (TrustBus 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5695))

Abstract

Existing policy languages suffer from a limited ability of directly and elegantly expressing high-level access control principles such as history-based separation of duty [22], binding of duty [26], context constraints [24], Chinese wall properties [10], and obligations [20]. It is often difficult to extend a language in order to retrofit these features once required or it is necessary to use complicated and complex language constructs to express such concepts. The latter, however, is cumbersome and error-prone for humans dealing with policy administration.

We present the flexible policy language OPL that can represent a wide range of access control principles in XML directly, by providing dedicated language constructs for each supported principle. It can be easily extended with further principles if necessary. OPL is based on a module concept, and it can easily cope with the language complexity that usually comes with a growing expressiveness. OPL is suitable to be used in an enterprise environment, since it combines the required expressiveness with the simplicity necessary for an appropriate administration.

This work was supported by the German Ministry of Education and Research (BMBF) as part of the project ORKA ( http://www.orka-projekt.de ).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. The ORKA Project Homepage, http://www.orka-projekt.de/index-en.htm

  2. Alm, C.: An Extensible Framework for Specifying and Reasoning About Complex Role-Based Access Control Models. Technical Report MIP-0901, Department of Informatics and Mathematics. University of Passau, Germany (2009)

    Google Scholar 

  3. Alm, C., Drouineaud, M.: Analysis of Existing Policy Languages. Technical report, ORKA Consortium (2007), http://www.orka-projekt.de/download/del-ap2.3-requirements-policy-language.pdf

  4. Alm, C., Drouineaud, M., Faltin, U., Sohr, K., Wolf, R.: On Classifying Authorization Constraints Approaches. Technical report, ORKA Consortium (2006), http://www.orka-projekt.de/download/del-ap2.1-authorization-constraints.pdf

  5. Alm, C., Wolf, R.: The Definition of the OPL Access Control Policy Language. Technical Report MIP-0902, Department of Informatics and Mathematics. University of Passau, Germany (2009)

    Google Scholar 

  6. Anderson, A.: XACML Profile for Role Based Access Control, RBAC (2004)

    Google Scholar 

  7. Bandara, A.: A Formal Approach to Analysis and Refinement of Policies. PhD thesis (2005)

    Google Scholar 

  8. Bertino, E., Bonatti, P., Ferrari, E.: TRBAC: A Temporal Role-based Access Control Model. In: Proc. of the 5th ACM Workshop on Role-Based Access Control, July 26–27, pp. 21–30. ACM Press, New York (2000)

    Chapter  Google Scholar 

  9. Bhatti, R., et al.: X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM TISSEC 8(2), 187–227 (2005)

    Article  Google Scholar 

  10. Brewer, D., Nash, M.: The Chinese Wall Security Policy. In: Proc. of IEEE Symposium on Security and Privacy, pp. 206–214 (1989)

    Google Scholar 

  11. Chiasson, S., Biddle, R., Somayaji, A.: Even Experts Deserve Usable Security: Design guidelines for security management systems. In: Workshop on Usable IT Security Management, USM 2007 (2007)

    Google Scholar 

  12. Damianou, N.: A Policy Framework for Management of Distributed Systems. PhD thesis, University of London (2002)

    Google Scholar 

  13. Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–28. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  14. Fernandez, E.B., Pernul, G., Larrondo-Petrie, M.M.: Patterns and Pattern Diagrams for Access Control. In: Furnell, S.M., Katsikas, S.K., Lioy, A. (eds.) TrustBus 2008. LNCS, vol. 5185, pp. 38–47. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM TISSEC 4(3) (2001)

    Google Scholar 

  16. Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Computer Security Series. Artech House, Boston (2003)

    MATH  Google Scholar 

  17. Kowalski, R., Sergot, M.: A Logic-based Calculus of Events. New Gen. Comput. 4(1), 67–95 (1986)

    Article  Google Scholar 

  18. Lorch, M., et al.: First Experiences Using XACML for Access Control in Distributed Systems. In: Proc. of the ACM workshop on XML Security (2003)

    Google Scholar 

  19. Lupu, E.C., Sloman, M.: Conflicts in Policy-Based Distributed Systems Management. IEEE Trans. Softw. Eng. 25(6), 852–869 (1999)

    Article  Google Scholar 

  20. Moses, T.: eXtensible Access Control Markup Language (XACML) Version 2.0, 2005. OASIS Standard (2005)

    Google Scholar 

  21. Mustafa, T., et al.: Implementing Advanced RBAC Administration Functionality with USE. In: Proc. of the 8th Int. Workshop on OCL Concepts and Tools (2008)

    Google Scholar 

  22. Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analysing Organisational Controls. In: Proc. of 11th ACM SACMAT, pp. 139–149 (2006)

    Google Scholar 

  23. Smith, G.: The Object-Z Specification Language. Springer, Heidelberg (2000)

    Book  MATH  Google Scholar 

  24. Strembeck, M., Neumann, G.: An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environments. ACM TISSEC 7(3) (2004)

    Google Scholar 

  25. Sun Microsystems, Inc., http://sunxacml.sourceforge.net/

  26. Wainer, J., et al.: W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints. Int. J. Cooperative Inf. Syst. 12(4), 455–485 (2003)

    Article  Google Scholar 

  27. Zurko, M., Simon, R., Sanfilippo, T.: A User-Centered, Modular Authorization Service Built on an RBAC Foundation. In: Proc. of the IEEE Symposium Security and Privacy, Oakland, CA, May 1999, pp. 57–71. IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Steria Mummert Consulting AG, Germany

    Christopher Alm

  2. Fraunhofer SIT, Darmstadt, Germany

    Ruben Wolf

  3. Institute of IT Security and Security Law, Passau, Germany

    Joachim Posegga

Authors
  1. Christopher Alm
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruben Wolf
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joachim Posegga
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Karlstad University, Universitetsgatan 2, 651 88, Karlstad, Sweden

    Simone Fischer-Hübner

  2. Laboratory of Information and Communication Systems Security, Department of Information and Communication Systems Engineering, University of the Aegean, 83200, Karlovassi, Samos, Greece

    Costas Lambrinoudakis

  3. Department of Management Information Systems, University of Regensburg, Universitätsstraße 31, 93053, Regensburg, Germany

    Günther Pernul

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Alm, C., Wolf, R., Posegga, J. (2009). The OPL Access Control Policy Language. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2009. Lecture Notes in Computer Science, vol 5695. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03748-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03748-1_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03747-4

  • Online ISBN: 978-3-642-03748-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics