ABSTRACT
Authorization policy authoring has required tools from the start. With access policy governance now an executive-level responsibility, it is imperative that such a tool expose the policy to business users' with little or no IT intervention-as natural language. NIST SP 800-162 [1] first prescribes natural language policies (NLPs) as the preferred expression of policy and then implicitly calls for automated translation of NLP to machine-executable code. This paper therefore proposes an interoperable model for the NLP's human expression. It furthermore documents the research and development of a tool set for end-to-end authoring and translation. This R&D journey-focusing constantly on end users' has debunked certain myths, has responded to steadily increasing market sophistication, has applied formal disciplines (e.g. ontologies, grammars and compiler design) and has motivated an informal demonstration of autonomic code generation. The lessons learned should be of practical value to the entire ABAC community. The research in progress' increasingly complex policies, proactive rule analytics, and expanded NLP authoring language support will require collaboration with an ever-expanding technical community from industry and academia.
- NIST Special Publication 800--162: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800--162.pdfGoogle Scholar
- XACML--A No-Nonsense Developer's Guide: http://www.idevnews.com/stories/57Google Scholar
- FICAM Roadmap and Implementation Guidance v2.0: https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNNBAA4&field=File__Body__sGoogle Scholar
- Semantics of Business Vocabulary and Rules? (SBVR?): http://www.omg.org/spec/SBVR/CurrentGoogle Scholar
- An interactive demo of the XpressRules Policy Studio is available at http://abac.xpressrules.com/ABAC_Studio.htmlGoogle Scholar
- J.R. Cordy, "The TXL Source Transformation Language", Science of Computer Programming 61,3 (August 2006), pp. 190--210. Google ScholarDigital Library
- Witt, G. 2012. Writing Effective Business Rules: A Practical Method. Elsevier (Morgan Kaufmann), Waltham, MA. Google ScholarDigital Library
- Based on example at https://www.macs.hw.ac.uk/~pjbk/pathways/cpp1/node99.htmlGoogle Scholar
- Final example derived by multiple contributors at this site: http://www.cplusplus.com/forum/beginner/25622/Google Scholar
Index Terms
- Proposed Model for Natural Language ABAC Authoring
Recommendations
A System for Centralized ABAC Policy Administration and Local ABAC Policy Decision and Enforcement in Host Systems using Access Control Lists
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access ControlWe describe a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions regarding those policies for protection of resource repositories in host systems using their native Access Control ...
A Category-Based Model for ABAC
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access ControlIn Attribute-Based Access Control (ABAC) systems, access to resources is controlled by evaluating rules against the attributes of the user and the object involved in the access request, as well as the values of the relevant attributes from the ...
Self-Adaptive Authorization Framework for Policy Based RBAC/ABAC Models
DASC '11: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure ComputingAuthorization systems are an integral part of any network where resources need to be protected. They act as the gateway for providing (or denying) subjects (users) access to resources. As networks expand and organisations start to federate access to ...
Comments