towards a secure and borderless collaboration between...
TRANSCRIPT
Research ArticleTowards a Secure and Borderless Collaboration betweenOrganizations An Automated Enforcement Mechanism
Samira Haguouche and Zahi Jarir
LISI Laboratory Faculty of Sciences Semlalia Cadi Ayyad University Marrakech Morocco
Correspondence should be addressed to Samira Haguouche shaguoucheucama
Received 13 July 2018 Accepted 4 October 2018 Published 21 October 2018
Academic Editor Kuo-Hui Yeh
Copyright copy 2018 Samira Haguouche and Zahi Jarir This is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited
During the last decade organizations have been more and more aware of the benefits of engaging in collaborative activities Toattain a required collaborative objective they are obligated to share sensitive resources such as data services and knowledgeHowever sharing sensitive and private resources and exposing them for an external usage may prevent the organizationsinvolved from collaborating Therefore this usage requires more preoccupation with security issues Access control is one ofthese required security concerns Several access control models are defined in the literature and this multitude of models createsheterogeneity of access control policies between the collaborating organizations In this paper we propose Access Control in Cross-Organizational coLLABoration ACCOLLAB a solution for automatic mapping between heterogeneous access control policies incross-organizational collaboration To carry out this mapping we suggest a mechanism founded mainly on XACML profiles andon a generic language derivative of XACML we define as Generic-XACML We also formally prove that the mapping does notaffect decision evaluation of policies Thereby the proposed contribution ACCOLLAB allows each collaborating organization tocommunicate their access control policies and adopt otherrsquos policies without affecting their existing access control systems
1 Introduction and Motivation
Collaborative activities have received a lot of attention fromorganizations due to the important need to address spe-cific and common goals to combine knowledge skills andexperiences to share resources (data services knowledgeandor expertise) to meet a particular task To succeed suchcollaboration involved actors must first trust each other andcommunicate effectively to overcome the obstacles broughtabout by the benefits of collaboration
During the last decade organizations have been moreand more aware of the benefits of engaging in collaborativeactivities Then in most of cases and in order to attainan ultimate objective or to answer required needs theyare obligated to share sensitive resources such as data ser-vices and knowledge However sharing sensitive and privateresources especially data and services and exposing themfor an external usage may prevent the organizations involvedfrom collaborating Hence the focus on protecting data pri-vacy and security issues in interorganizational collaboration
represents a crucial requirement and becomes one of themostpressing concerns Security issues aim at guaranteeing infor-mation availability confidentiality integrity authenticity andaccountability Data privacy known also as data protectionaims to prevent sensitive information from being leaked orbreached to unauthorized parties
Several scientific research studies in the literature haveraised this challenge and identified that access control is oneof the most important concerns of privacy and security Anumber of access control models such as RBAC [1] TBAC[2] and ABAC [3] have been developed to address variousaspects of access control problem
In cross-organizational collaboration additional require-ments for access control arise like trust management highlevel of privacy interoperability and dynamicity Severalaccess control solutions proposed in the literature haveaddressed this challenge Some of them have proposed out-right a new access control model [4 5] or extended existingmodels to be suitable for cross-organizational collaboration[6 7] However most of the suggested solutions require that
HindawiSecurity and Communication NetworksVolume 2018 Article ID 1572812 13 pageshttpsdoiorg10115520181572812
2 Security and Communication Networks
collaborating organizations profoundly modify their existingaccess control models a situation that is difficult to achieveand is impractical in heterogeneous real systemsOtherworkshave assumed that collaborating organizations are adoptingthe same access control model and proposed centralizedsolutions like [8 9] or distributed solutions like [10 11] tocontrol access cross-organizations Few works have tackledthe heterogeneity of access control models problem [12ndash14] and none of them according to our knowledge hasgiven a complete solution for automatic policy mappingbetween heterogeneous systems that covers both syntacticand semantic transformation
Moreover to enhance security interaction between orga-nizations we consider that enabling access control policyenforcement in customer organization is mandatory How-ever this property is not met by the evoked solutions Theneed to enable provider policy enforcement by consumerssystem is motivated by multiple reasons
(1) The need to ensure the fine grained access controldefined by the provider policy Usually a policyspecifies fine grained constraints related to the subjectwho can access to a resource but when the subjectis in a foreign organization the provider would beunable to determine the capability of the subjectWherefore we need to enforce provider policy in theconsumer side
(2) Theneed to enforce context aware constraints definedby the provider policy when the policy specifiescontext constraints that could be determined only inthe consumer organization
(3) Theneed of high level of trustworthiness between col-laborating organizations Usually collaboration is reg-ulated by contracts or agreement [15] For a consumerorganization to keep a high level of trustworthinessit should fulfill the provider policy especially accesscontrol policy To do so consumer organizationshould be able to enforce the provider policy
Reviewing the contributions presented in the literaturein response to this challenge motivated us to believe in theneed for a solution for collaborative access control that hasthe advantage to (1) tackle the heterogeneity in access controlmodels (2) allow automatic mapping of access control poli-cies between collaborating organizations based on syntacticand semantic transformations and (3) respect the legacysystems
The aim of our contribution ACCOLLAB is to proposea new mechanism that ensures mapping between heteroge-neous models automatically This mechanism will help orga-nizations to communicate their access control policies andadopt othersrsquo policies automatically without affecting theexisting access control systems In addition we have con-sidered both syntactic and semantic mapping to propose acomplete solution To deal with semantic mapping we haveproposed an ontology-based semantic mapping process in[16] In this paper we focus on syntactic mapping to whichwe have given a skeleton outline to syntactic mapping in aprevious work [17]
The rest of this paper is organized as follows Section 2exposes related work whereas Section 3 describes themecha-nism of automaticmapping between access controlmodels bymeans of XACML profiles and a proposed language Generic-XACML In Section 4 we show in details how to map fromXACML profiles to our Generic-XACML while Section 5is dedicated to present the reverse mapping Finally weconclude in Section 6
2 Related Work on Access Control inCross-Organizational Collaboration
In the literature several contributions have addressed theproblem of access control in cross-organizational collabo-ration Some of them have proposed outright a new accesscontrol model or extended existing models to be suitablefor cross-organization collaboration While the majority ofworks have assumed in their approaches that collaboratingorganizations are adopting the same access control modelto propose architectures frameworks or solutions to con-trol access cross-organizations few works have tackled theheterogeneity of access control models problem and noneof them has given a complete automatic solution for policymapping between heterogeneous systems To more organizethis section we introduce as follows three cases that are asfollows Case 1 proposition of new access control model orextending an existing one Case 2 solutions to control accessacross organizations adopting the same access control modelCase 3 approaches tackling the interoperability betweenheterogeneous models
21 Case 1 Proposition of New Access Control Model or Ex-tending an Existing One Some works define of a new accesscontrol model or extend existing models in order to besuitable for cross-organization collaboration
OrBAC [4] is an example of innovative models which iscentered on the concept of Organization Each access controlpolicy is defined for and by an organization OrBAC definesthe notion of role view and activity that refer to subjectobject and action respectively from the perspective of anorganization and includes also the notion of context Usingthese concepts policies are defined homogeneously in allcollaborating organizations
Authors in [18] propose a federated capability-basedaccess control (FedCAC) system to tackle the challengesof access control for heterogeneous devices over IoT Theypropose the delegation of domain-specific access controlpolicies and identity management tasks from the centralizedPolicy Decision making Center PDC to fog computingnodes called coordinators Authors in this work consider onehomogeneous definition of access control policies and thenthey are synchronized among the PDC and coordinators
Reference [6] is another example that extends RBACmodel with new concepts required for collaborative envi-ronments in both intra- and interorganizations Authors ofthat paper propose a generic access control ontology and aframework supporting administration and enforcement Theproposed model has been specified to protect data access inintra- and interorganizations collaboration but it focuses on
Security and Communication Networks 3
organizations using only RBAC model and excludes othermodels
Policies in these works will be defined in the same wayfor all collaborating organizations Access requests will behomogeneous with enforcement mechanisms of the collab-orating organizations Meanwhile adopting a new accesscontrol model requires rebuilding the whole access controlsystem of collaborating organizations which is impracticaland sometimes refused by organizations
22 Case 2 Solutions to Control Access across OrganizationsAdopting the Same Access Control Model Many works haveproposed solutions for access control in cross-organizationalcollaboration where all organizations adopt the same model(ABAC or RBAC are the most used) While reviewing themost interesting contributions we have concluded that twomain architectures are proposed centralized architecture anddistributed architecture
221 Centralized Architecture The work [8] proposes acentralized architecture for access control across organiza-tions where each collaborating organization defines policiesassociated to their shared resources Then these policiesare managed by a coordination organization depending oneach collaboration incident and enforced by centralizedcomponents which bases on ABAC model
Authors in [9] propose a Multiple-Policy supportedAttribute-Based Access Control model (MPABAC) with acentralized architecture This model extends the traditionalABAC model by providing cross-domain authentication andauthorization They propose a priority description to com-bine policies among multiple domains and adopt a hierarchi-cal structure for policies enforcement
Authors in [19] address the issues of combining multipleXACML policies in cross-organizational collaboration Theypresent a policy combination architecture that consists ofclassifying the rules based on attribute constraints in eachpolicy of collaborative organizations and then reduce therules of the corresponding classes to one with the sameattribute constraints The reduced rules are then combinedinto a new global policy by choosing the appropriate rulecombining algorithm
This kind of contributions proposed centralized solu-tions for access control in cross-organizational collaborationassuming that all collaborating organizations are using thesame access control model So they try to find a way to com-bine access control policies of collaborating organizations orto combine access control decisions
222 Distributed Architecture The work [10] proposes apolicy distribution and synchronization schema for an IoTenvironment It is based on virtual channels technique for thepropagation and synchronization of policies across differentdomains in real-time The paper presents a mechanism todynamically enforce and propagate policies across heteroge-neous domains However it does not consider the hetero-geneity of the policies themselves which can be expresseddifferent ways according to each domain It considers only
ABAC model and assumes that no heterogeneity exists inpolicy definitions among different organizations
Authors in [11] proposed a distributed access controlarchitecture to address authorization issues across multipleclouds The architecture is based on service-level agreementSLA component to allow peer to peer interoperation SLAperforms role mapping and evaluates policy constraintsdefined in a mediated SLA policy This mediated policyis defined using RBAC XML-based declaration Authorspropose a solution for interoperability in multiple cloudscollaboration assuming all clouds are adopting the sameaccess control model RBAC
Authors in [20] adapt and implement RBAC for a mul-tidomain grid access control Their approach includes anarchitecture for role mapping cross-domain based on roleranking mechanism Authors consider only RBACAddition-ally this approach is not suitable for fine-grained authoriza-tion
Authors in [21] address access control in dynamic cross-enterprise collaborations by proposing a framework forattribute and policy reconciliation where attribute defini-tions or their interpretations are not standardizedThe frame-work externalizes domain knowledge in order to dynamicallyinfer attribute relationships during the evaluation of autho-rization decisions Authors in this paper address the inter-operability challenge for access control in cross-enterprisecollaborations but they only consider ABAC model
Even though these works give interesting solutions tomanage access control in cross-organizations collaborationthey do not consider heterogeneity in access control modelsadopted by collaborating organizations
23 Case 3 Approaches Tackling the Interoperability betweenHeterogeneous Models An interesting work [22] proposedan ontological approach to deal with the interoperabilitybetween heterogeneous access control models by matchingdifferent ontologies that describe the diverse access controlmodels of the interconnected organizations Yet authorsfocus on access control for cloud data storage when integrat-ing heterogeneous organizations which make it useless in across-organizational collaboration with segregated systems
Authors in [12] address the heterogeneity problem ofaccess control models across collaborating organizationsThey proposed an equivalent based access collaborationmodel EABC to protect shared resources This model coversmultiple domains that are adopting different access controlmodels and is based on defining equivalent access whichinvolves entity mapping and entity linking relationshipsThey propose a formal definition of policy mapping acrossorganizations Unfortunately they do not give any detailsabout mapping process
Reference [13] proposed an enforcement architecture thatevaluates the possibility of potential cross-domain policydeployment through model-driven mapping and translationusing ontology-based mapping and query-based mappingThe paper presented a solution similar to ours Meanwhileit focuses on defined logical models representing commonoperation rules to ensure the semantic mapping Howevereach logical model is defined by domain administrators
4 Security and Communication Networks
RBAC-Policy Store
Requestee
ABAC-Policy Store
Requestor
Access Control Mechanism in the Consumer Organization
(ABAC Model)
Access Control Mechanismin the Provider Organization
(RBAC Model)
RequestPEP
PDP
C Policy
PEP
PDP
PAPPAP
Policy mapping
Policy mapping
Generic XACML Policy
Figure 1 Architecture of policy mapping in cross-organizational collaboration
which can generate heterogeneity in logical models them-selves
The paper [14] analyzed the common knowledge of accesscontrol models and proposed an ontology-based modelwhich can describe different access control modelsThisworkgives a formal description of access control ontologies andproposes a connection algorithm which is based on accessontology However neither details about the connectionalgorithm nor the mechanism of mapping between organi-zationsrsquo policies are provided giving that each collaboratingorganization adopts its own access control mechanism
These evoked contributions tackle the problem of accesscontrol in cross-organizational collaboration where eachcollaborating organization adopts a different access controlmodel Unfortunately none of them gives a complete solutionusing syntactic and semantic transformations
This motivates us to come up with a solution character-ized by
(1) Respect of legacy systems
(2) Automatic policy mapping between collaboratingorganizations based on syntactic and semantic trans-formations
(3) Tackling the heterogeneity in access control models
3 Our Proposed Mechanism of AutomaticMapping between Heterogeneous Models
Our current contribution aims to suggest a solution forAccess Control in Cross-Organizational coLLABoration(ACCOLLAB) that respects legacy systems of each organi-zation in the collaboration and aims to enable the enforce-ment of providersrsquo policies in the consumersrsquo organizationsFigure 1 shows an example of two collaborating organizationsusing heterogeneous access control systems The providerorganization that offers a requestee (eg service resourcedata ) defines a policy using RBAC model and enforces
access control using an adequate mechanism So the con-sumer organization that uses ABAC model and enforcesaccess control using a different mechanism should be ableto read providerrsquos policy and enforces it using its own accesscontrol mechanism Thus we propose a mechanism forautomatic policy mapping between organizations adoptingheterogeneous access control models
The automatic policy mapping involves two transforma-tions syntactic transformations that concern the form ofthe policy which is our focus in this paper and semanticcorrespondences we tackled in the previous contribution[16] Where we relied on a generic representation of accesscontrol concepts and proposed an ontology-based semanticmapping
Thus we assume in this paper that every single con-straint in an access control policy expressed in an accesscontrolmodel has a semantic corresponding constraint in anyother model and we focus on automatic mapping betweenmodels in term of policy definition
To ensure an effective mapping we use XACML as anintermediate policy definition language for mapping Themotivation behind this choice is that XACML can be usedto implement any access control model and that a number ofXACML profiles are already defined
Figure 2 depicts the global architecture of the mappingHence to be able to map from a policy written according toa particular model to another model (eg RBAC model toABACmodel) we resort to XACML profiles as an intermedi-ate language So we define a high level syntax of XACML thatwe call Generic-XACML (detailed in Section 33) From thissyntax we can switch to any XACML profile and thereafterit will be translated to the target policy language which isspecific to the model
Our solution is distributed but unlike existing distributedsolutions [10 11 20 21] we consider heterogeneous exist-ing access control systems adopting heterogeneous models(ABACRBACUCON ) Our solutionwill be implementedas an additional layer on the top of existing access control
Security and Communication Networks 5
Translation tofrom XACML profile
Unifyingcustomizing the XACML Syntax
Policy in XACML profile
for ABAC
Policy in XACML profile
for UCON
Policy in ABAC
Policy in XACML profile
for RBAC
Policy in GenericXACML
Policy in UCON
Policy in RBAC
Figure 2 Mechanism of policy mapping between heterogeneous models
systems existing systems will not be changed only policieswill be automatically translated
In the next subsections we give an overview of XACMLand XACML profiles Then we give a definition of ourgeneric-XACML language
31 XACML Overview Recall that XACML (eXtensibleAccess Control Markup Language) [23] is a standardizedaccess control policy and decision language based on XMLThe core of XACML defines policies by hierarchical compo-nents The root element is the PolicySet it contains Policyorand other PolicySet elements Policy element contains a setof one ormore Rule elements A Rule element contains a con-dition that is evaluated to either True or False A Rule elementrepresents a single authorization or prohibition dependingon its effect which is either Permit or Deny XACMLprovides Combining Algorithms that operate to combinedecisions or effects of multiple Policy or Rule elements into asingle decision via a Policy Combining Algorithm for Policyelements and via a Rule Combining Algorithm for Ruleelements
Rule Policy and PolicySet elements include a Targetelement to specify their applicability to the access controlrequest and optionally an obligationExpressions element oran adviceExpressions element to define obligations or advicesrespectively The Target element may be empty or a con-junction of a disjunction (AnyOf elements) of a conjunction(AllOf element) of Subject Resource Action andor Envi-ronment conditions expressed as Match elements Subject
Resource Action and Environment are the four attributecategories defined by XACML
32 XACML Profiles
321 XACML-RBAC Profile [24] defines a profile to meetthe requirements for RBAC The RBAC profile of XACML(XACML-RBAC) expresses a way to use the standardXACML within the RBACmodel
In this profile each Role is defined by a PolicySet ele-ment It contains a Target element that makes the PolicySetapplicable only to Subjects having the XACML Attributeassociated with the given Role The Target element does notrestrict the Resource Action or Environment This RolePolicySet element contains a unique PolicySet that defines theactual Permissionsassociated with the Role Such a PolicySetcontains PolicySet Policy and Rule elements that describe theresources and actions that subjects are permitted to accessalong with any further environmental conditions such astime of day A given Permission PolicySet may also containreferences to Permission PolicySet elements associated withother Roles (hierarchy)
The Target element of a Permission PolicySet and itsincluded or referenced PolicySet Policy and Rule elementsmust not limit the subjects to which the PolicySet is applica-ble
322 XACML-UCONProfile [25] defines aprofile (XACML-UCON) for the use of XACML in expressing policies that
6 Security and Communication Networks
would ensure usage control as defined in UCON model Inthis profile Authorizations are specified by XACML Subjectand XACML Resource in the Target element Obligationsare specified by XACML Condition Conditions (the UCONconcept) are specified by XACML Environment Rights arespecified by XACML Action Continuity of usage decisionwill be expressed in the XACMLObligation within the Policyelement It would contain an AttributeAssignment whichwill specify the time interval between continuous policy re-evaluations
Mutable Attributes are specified within XACML Obli-gations as XACML AttributeAssignment The AttributeId iswhere the name of the mutable attribute is specified
323 Other XACML Profiles Other works like [26ndash28]define XACML profiles for Access Control List (ACL) andABAC models In the same way other profiles for othermodels can be developed since XACML offers the possibilityto express any concept as attributes Thus we can map anyexisting policy into the XACML policy language The profilewill specify the particularity of the model by specifying
(i) The correlation between the model concepts and thecategories of attributes
(ii) The categories of attributes to put in for some Targetelements
(iii) The nesting of the XACML elements (specify thenumber of children of some elements)
(iv) The combining algorithms that are used
33 Generic-XACML When organizations engage in collab-oration access control policies related to the shared Reques-tees (services or resources ) are translated to the XACMLprofile for the model adopted by the provider organizationThen these policies are automatically mapped to Generic-XACML and shared jointly with the requestees Later thesepolicies are automatically mapped to the XACML profile forthe model adopted by the consumer organization and finallytranslated to the consumer model So Generic-XACML isa high level language that serves as intermediate for themapping Generic-XACML is inspired from XACML suchas it matches the XACML specifications for policy definitionand restricts the core XACML by the following constraints
(i) It contains a root PolicySet element with an emptyTarget
(ii) The root PolicySet contains exactly one nested Policyelement with an empty Target as well
(iii) The Policy element contains a set of nested Ruleelements and optionally a set of Obligation andorAdvice elements
Figure 3 depicts a pseudo code of the structure of aGeneric-XACML policy
In the next Sections 4 and 5 we show in more details howtomap between Generic-XACML and XACML profiles Andwe prove the equivalence between policies
Figure 3 A pseudo code of the structure of a Generic-XACMLpolicy
Table 1 Possible values of XACML elements
Match andTarget value
Conditionvalue
Rule Policyand PolicySet
value
⊤ Match TrueApplicable
(either permitor deny
perp Not match False Not applicable119868 Indeterminate Indeterminate Indeterminate
34 Policy Decision Evaluation for XACML and Generic-XACML The Rule evaluation depends on the Target eval-uation and the Condition evaluation [23] The Target valuecan be either match not match or indeterminate The valueindeterminate can be obtained if an error occurred or somerequired value was missing so a decision cannot be made
The Condition element is a set of propositional formulaewhich is evaluated to either True False or Indeterminate Anempty Condition or an empty Target is always evaluated toTrue The evaluation of a Rule element is either applicablenot applicable or Indeterminate An applicable Rule has effecteither deny or permit Finally the evaluation of Policy andPolicySet elements is based on a combining algorithm ofwhich the result can be either applicable with its effect eitherdeny or permit not applicable or indeterminate
In this paper we refer to the formal XACML elementsevaluation developed in [29] In this work the authors usea three-valued logic represented by the three symbols (⊤ perp 119868) that correspond to XACML elements evaluation Table 1depicts the mapping between these three logic values andXACML elements evaluation
In order to distinguish either an applicable policy per-mit access or deny it this three-valued logic is extendedto a multivalued logic represented by the set 1198816 = perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 where the subscript d denotes Deny thesubscript p denotes Permit and the subscript dp denotesDeny Permit
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Security and Communication Networks
collaborating organizations profoundly modify their existingaccess control models a situation that is difficult to achieveand is impractical in heterogeneous real systemsOtherworkshave assumed that collaborating organizations are adoptingthe same access control model and proposed centralizedsolutions like [8 9] or distributed solutions like [10 11] tocontrol access cross-organizations Few works have tackledthe heterogeneity of access control models problem [12ndash14] and none of them according to our knowledge hasgiven a complete solution for automatic policy mappingbetween heterogeneous systems that covers both syntacticand semantic transformation
Moreover to enhance security interaction between orga-nizations we consider that enabling access control policyenforcement in customer organization is mandatory How-ever this property is not met by the evoked solutions Theneed to enable provider policy enforcement by consumerssystem is motivated by multiple reasons
(1) The need to ensure the fine grained access controldefined by the provider policy Usually a policyspecifies fine grained constraints related to the subjectwho can access to a resource but when the subjectis in a foreign organization the provider would beunable to determine the capability of the subjectWherefore we need to enforce provider policy in theconsumer side
(2) Theneed to enforce context aware constraints definedby the provider policy when the policy specifiescontext constraints that could be determined only inthe consumer organization
(3) Theneed of high level of trustworthiness between col-laborating organizations Usually collaboration is reg-ulated by contracts or agreement [15] For a consumerorganization to keep a high level of trustworthinessit should fulfill the provider policy especially accesscontrol policy To do so consumer organizationshould be able to enforce the provider policy
Reviewing the contributions presented in the literaturein response to this challenge motivated us to believe in theneed for a solution for collaborative access control that hasthe advantage to (1) tackle the heterogeneity in access controlmodels (2) allow automatic mapping of access control poli-cies between collaborating organizations based on syntacticand semantic transformations and (3) respect the legacysystems
The aim of our contribution ACCOLLAB is to proposea new mechanism that ensures mapping between heteroge-neous models automatically This mechanism will help orga-nizations to communicate their access control policies andadopt othersrsquo policies automatically without affecting theexisting access control systems In addition we have con-sidered both syntactic and semantic mapping to propose acomplete solution To deal with semantic mapping we haveproposed an ontology-based semantic mapping process in[16] In this paper we focus on syntactic mapping to whichwe have given a skeleton outline to syntactic mapping in aprevious work [17]
The rest of this paper is organized as follows Section 2exposes related work whereas Section 3 describes themecha-nism of automaticmapping between access controlmodels bymeans of XACML profiles and a proposed language Generic-XACML In Section 4 we show in details how to map fromXACML profiles to our Generic-XACML while Section 5is dedicated to present the reverse mapping Finally weconclude in Section 6
2 Related Work on Access Control inCross-Organizational Collaboration
In the literature several contributions have addressed theproblem of access control in cross-organizational collabo-ration Some of them have proposed outright a new accesscontrol model or extended existing models to be suitablefor cross-organization collaboration While the majority ofworks have assumed in their approaches that collaboratingorganizations are adopting the same access control modelto propose architectures frameworks or solutions to con-trol access cross-organizations few works have tackled theheterogeneity of access control models problem and noneof them has given a complete automatic solution for policymapping between heterogeneous systems To more organizethis section we introduce as follows three cases that are asfollows Case 1 proposition of new access control model orextending an existing one Case 2 solutions to control accessacross organizations adopting the same access control modelCase 3 approaches tackling the interoperability betweenheterogeneous models
21 Case 1 Proposition of New Access Control Model or Ex-tending an Existing One Some works define of a new accesscontrol model or extend existing models in order to besuitable for cross-organization collaboration
OrBAC [4] is an example of innovative models which iscentered on the concept of Organization Each access controlpolicy is defined for and by an organization OrBAC definesthe notion of role view and activity that refer to subjectobject and action respectively from the perspective of anorganization and includes also the notion of context Usingthese concepts policies are defined homogeneously in allcollaborating organizations
Authors in [18] propose a federated capability-basedaccess control (FedCAC) system to tackle the challengesof access control for heterogeneous devices over IoT Theypropose the delegation of domain-specific access controlpolicies and identity management tasks from the centralizedPolicy Decision making Center PDC to fog computingnodes called coordinators Authors in this work consider onehomogeneous definition of access control policies and thenthey are synchronized among the PDC and coordinators
Reference [6] is another example that extends RBACmodel with new concepts required for collaborative envi-ronments in both intra- and interorganizations Authors ofthat paper propose a generic access control ontology and aframework supporting administration and enforcement Theproposed model has been specified to protect data access inintra- and interorganizations collaboration but it focuses on
Security and Communication Networks 3
organizations using only RBAC model and excludes othermodels
Policies in these works will be defined in the same wayfor all collaborating organizations Access requests will behomogeneous with enforcement mechanisms of the collab-orating organizations Meanwhile adopting a new accesscontrol model requires rebuilding the whole access controlsystem of collaborating organizations which is impracticaland sometimes refused by organizations
22 Case 2 Solutions to Control Access across OrganizationsAdopting the Same Access Control Model Many works haveproposed solutions for access control in cross-organizationalcollaboration where all organizations adopt the same model(ABAC or RBAC are the most used) While reviewing themost interesting contributions we have concluded that twomain architectures are proposed centralized architecture anddistributed architecture
221 Centralized Architecture The work [8] proposes acentralized architecture for access control across organiza-tions where each collaborating organization defines policiesassociated to their shared resources Then these policiesare managed by a coordination organization depending oneach collaboration incident and enforced by centralizedcomponents which bases on ABAC model
Authors in [9] propose a Multiple-Policy supportedAttribute-Based Access Control model (MPABAC) with acentralized architecture This model extends the traditionalABAC model by providing cross-domain authentication andauthorization They propose a priority description to com-bine policies among multiple domains and adopt a hierarchi-cal structure for policies enforcement
Authors in [19] address the issues of combining multipleXACML policies in cross-organizational collaboration Theypresent a policy combination architecture that consists ofclassifying the rules based on attribute constraints in eachpolicy of collaborative organizations and then reduce therules of the corresponding classes to one with the sameattribute constraints The reduced rules are then combinedinto a new global policy by choosing the appropriate rulecombining algorithm
This kind of contributions proposed centralized solu-tions for access control in cross-organizational collaborationassuming that all collaborating organizations are using thesame access control model So they try to find a way to com-bine access control policies of collaborating organizations orto combine access control decisions
222 Distributed Architecture The work [10] proposes apolicy distribution and synchronization schema for an IoTenvironment It is based on virtual channels technique for thepropagation and synchronization of policies across differentdomains in real-time The paper presents a mechanism todynamically enforce and propagate policies across heteroge-neous domains However it does not consider the hetero-geneity of the policies themselves which can be expresseddifferent ways according to each domain It considers only
ABAC model and assumes that no heterogeneity exists inpolicy definitions among different organizations
Authors in [11] proposed a distributed access controlarchitecture to address authorization issues across multipleclouds The architecture is based on service-level agreementSLA component to allow peer to peer interoperation SLAperforms role mapping and evaluates policy constraintsdefined in a mediated SLA policy This mediated policyis defined using RBAC XML-based declaration Authorspropose a solution for interoperability in multiple cloudscollaboration assuming all clouds are adopting the sameaccess control model RBAC
Authors in [20] adapt and implement RBAC for a mul-tidomain grid access control Their approach includes anarchitecture for role mapping cross-domain based on roleranking mechanism Authors consider only RBACAddition-ally this approach is not suitable for fine-grained authoriza-tion
Authors in [21] address access control in dynamic cross-enterprise collaborations by proposing a framework forattribute and policy reconciliation where attribute defini-tions or their interpretations are not standardizedThe frame-work externalizes domain knowledge in order to dynamicallyinfer attribute relationships during the evaluation of autho-rization decisions Authors in this paper address the inter-operability challenge for access control in cross-enterprisecollaborations but they only consider ABAC model
Even though these works give interesting solutions tomanage access control in cross-organizations collaborationthey do not consider heterogeneity in access control modelsadopted by collaborating organizations
23 Case 3 Approaches Tackling the Interoperability betweenHeterogeneous Models An interesting work [22] proposedan ontological approach to deal with the interoperabilitybetween heterogeneous access control models by matchingdifferent ontologies that describe the diverse access controlmodels of the interconnected organizations Yet authorsfocus on access control for cloud data storage when integrat-ing heterogeneous organizations which make it useless in across-organizational collaboration with segregated systems
Authors in [12] address the heterogeneity problem ofaccess control models across collaborating organizationsThey proposed an equivalent based access collaborationmodel EABC to protect shared resources This model coversmultiple domains that are adopting different access controlmodels and is based on defining equivalent access whichinvolves entity mapping and entity linking relationshipsThey propose a formal definition of policy mapping acrossorganizations Unfortunately they do not give any detailsabout mapping process
Reference [13] proposed an enforcement architecture thatevaluates the possibility of potential cross-domain policydeployment through model-driven mapping and translationusing ontology-based mapping and query-based mappingThe paper presented a solution similar to ours Meanwhileit focuses on defined logical models representing commonoperation rules to ensure the semantic mapping Howevereach logical model is defined by domain administrators
4 Security and Communication Networks
RBAC-Policy Store
Requestee
ABAC-Policy Store
Requestor
Access Control Mechanism in the Consumer Organization
(ABAC Model)
Access Control Mechanismin the Provider Organization
(RBAC Model)
RequestPEP
PDP
C Policy
PEP
PDP
PAPPAP
Policy mapping
Policy mapping
Generic XACML Policy
Figure 1 Architecture of policy mapping in cross-organizational collaboration
which can generate heterogeneity in logical models them-selves
The paper [14] analyzed the common knowledge of accesscontrol models and proposed an ontology-based modelwhich can describe different access control modelsThisworkgives a formal description of access control ontologies andproposes a connection algorithm which is based on accessontology However neither details about the connectionalgorithm nor the mechanism of mapping between organi-zationsrsquo policies are provided giving that each collaboratingorganization adopts its own access control mechanism
These evoked contributions tackle the problem of accesscontrol in cross-organizational collaboration where eachcollaborating organization adopts a different access controlmodel Unfortunately none of them gives a complete solutionusing syntactic and semantic transformations
This motivates us to come up with a solution character-ized by
(1) Respect of legacy systems
(2) Automatic policy mapping between collaboratingorganizations based on syntactic and semantic trans-formations
(3) Tackling the heterogeneity in access control models
3 Our Proposed Mechanism of AutomaticMapping between Heterogeneous Models
Our current contribution aims to suggest a solution forAccess Control in Cross-Organizational coLLABoration(ACCOLLAB) that respects legacy systems of each organi-zation in the collaboration and aims to enable the enforce-ment of providersrsquo policies in the consumersrsquo organizationsFigure 1 shows an example of two collaborating organizationsusing heterogeneous access control systems The providerorganization that offers a requestee (eg service resourcedata ) defines a policy using RBAC model and enforces
access control using an adequate mechanism So the con-sumer organization that uses ABAC model and enforcesaccess control using a different mechanism should be ableto read providerrsquos policy and enforces it using its own accesscontrol mechanism Thus we propose a mechanism forautomatic policy mapping between organizations adoptingheterogeneous access control models
The automatic policy mapping involves two transforma-tions syntactic transformations that concern the form ofthe policy which is our focus in this paper and semanticcorrespondences we tackled in the previous contribution[16] Where we relied on a generic representation of accesscontrol concepts and proposed an ontology-based semanticmapping
Thus we assume in this paper that every single con-straint in an access control policy expressed in an accesscontrolmodel has a semantic corresponding constraint in anyother model and we focus on automatic mapping betweenmodels in term of policy definition
To ensure an effective mapping we use XACML as anintermediate policy definition language for mapping Themotivation behind this choice is that XACML can be usedto implement any access control model and that a number ofXACML profiles are already defined
Figure 2 depicts the global architecture of the mappingHence to be able to map from a policy written according toa particular model to another model (eg RBAC model toABACmodel) we resort to XACML profiles as an intermedi-ate language So we define a high level syntax of XACML thatwe call Generic-XACML (detailed in Section 33) From thissyntax we can switch to any XACML profile and thereafterit will be translated to the target policy language which isspecific to the model
Our solution is distributed but unlike existing distributedsolutions [10 11 20 21] we consider heterogeneous exist-ing access control systems adopting heterogeneous models(ABACRBACUCON ) Our solutionwill be implementedas an additional layer on the top of existing access control
Security and Communication Networks 5
Translation tofrom XACML profile
Unifyingcustomizing the XACML Syntax
Policy in XACML profile
for ABAC
Policy in XACML profile
for UCON
Policy in ABAC
Policy in XACML profile
for RBAC
Policy in GenericXACML
Policy in UCON
Policy in RBAC
Figure 2 Mechanism of policy mapping between heterogeneous models
systems existing systems will not be changed only policieswill be automatically translated
In the next subsections we give an overview of XACMLand XACML profiles Then we give a definition of ourgeneric-XACML language
31 XACML Overview Recall that XACML (eXtensibleAccess Control Markup Language) [23] is a standardizedaccess control policy and decision language based on XMLThe core of XACML defines policies by hierarchical compo-nents The root element is the PolicySet it contains Policyorand other PolicySet elements Policy element contains a setof one ormore Rule elements A Rule element contains a con-dition that is evaluated to either True or False A Rule elementrepresents a single authorization or prohibition dependingon its effect which is either Permit or Deny XACMLprovides Combining Algorithms that operate to combinedecisions or effects of multiple Policy or Rule elements into asingle decision via a Policy Combining Algorithm for Policyelements and via a Rule Combining Algorithm for Ruleelements
Rule Policy and PolicySet elements include a Targetelement to specify their applicability to the access controlrequest and optionally an obligationExpressions element oran adviceExpressions element to define obligations or advicesrespectively The Target element may be empty or a con-junction of a disjunction (AnyOf elements) of a conjunction(AllOf element) of Subject Resource Action andor Envi-ronment conditions expressed as Match elements Subject
Resource Action and Environment are the four attributecategories defined by XACML
32 XACML Profiles
321 XACML-RBAC Profile [24] defines a profile to meetthe requirements for RBAC The RBAC profile of XACML(XACML-RBAC) expresses a way to use the standardXACML within the RBACmodel
In this profile each Role is defined by a PolicySet ele-ment It contains a Target element that makes the PolicySetapplicable only to Subjects having the XACML Attributeassociated with the given Role The Target element does notrestrict the Resource Action or Environment This RolePolicySet element contains a unique PolicySet that defines theactual Permissionsassociated with the Role Such a PolicySetcontains PolicySet Policy and Rule elements that describe theresources and actions that subjects are permitted to accessalong with any further environmental conditions such astime of day A given Permission PolicySet may also containreferences to Permission PolicySet elements associated withother Roles (hierarchy)
The Target element of a Permission PolicySet and itsincluded or referenced PolicySet Policy and Rule elementsmust not limit the subjects to which the PolicySet is applica-ble
322 XACML-UCONProfile [25] defines aprofile (XACML-UCON) for the use of XACML in expressing policies that
6 Security and Communication Networks
would ensure usage control as defined in UCON model Inthis profile Authorizations are specified by XACML Subjectand XACML Resource in the Target element Obligationsare specified by XACML Condition Conditions (the UCONconcept) are specified by XACML Environment Rights arespecified by XACML Action Continuity of usage decisionwill be expressed in the XACMLObligation within the Policyelement It would contain an AttributeAssignment whichwill specify the time interval between continuous policy re-evaluations
Mutable Attributes are specified within XACML Obli-gations as XACML AttributeAssignment The AttributeId iswhere the name of the mutable attribute is specified
323 Other XACML Profiles Other works like [26ndash28]define XACML profiles for Access Control List (ACL) andABAC models In the same way other profiles for othermodels can be developed since XACML offers the possibilityto express any concept as attributes Thus we can map anyexisting policy into the XACML policy language The profilewill specify the particularity of the model by specifying
(i) The correlation between the model concepts and thecategories of attributes
(ii) The categories of attributes to put in for some Targetelements
(iii) The nesting of the XACML elements (specify thenumber of children of some elements)
(iv) The combining algorithms that are used
33 Generic-XACML When organizations engage in collab-oration access control policies related to the shared Reques-tees (services or resources ) are translated to the XACMLprofile for the model adopted by the provider organizationThen these policies are automatically mapped to Generic-XACML and shared jointly with the requestees Later thesepolicies are automatically mapped to the XACML profile forthe model adopted by the consumer organization and finallytranslated to the consumer model So Generic-XACML isa high level language that serves as intermediate for themapping Generic-XACML is inspired from XACML suchas it matches the XACML specifications for policy definitionand restricts the core XACML by the following constraints
(i) It contains a root PolicySet element with an emptyTarget
(ii) The root PolicySet contains exactly one nested Policyelement with an empty Target as well
(iii) The Policy element contains a set of nested Ruleelements and optionally a set of Obligation andorAdvice elements
Figure 3 depicts a pseudo code of the structure of aGeneric-XACML policy
In the next Sections 4 and 5 we show in more details howtomap between Generic-XACML and XACML profiles Andwe prove the equivalence between policies
Figure 3 A pseudo code of the structure of a Generic-XACMLpolicy
Table 1 Possible values of XACML elements
Match andTarget value
Conditionvalue
Rule Policyand PolicySet
value
⊤ Match TrueApplicable
(either permitor deny
perp Not match False Not applicable119868 Indeterminate Indeterminate Indeterminate
34 Policy Decision Evaluation for XACML and Generic-XACML The Rule evaluation depends on the Target eval-uation and the Condition evaluation [23] The Target valuecan be either match not match or indeterminate The valueindeterminate can be obtained if an error occurred or somerequired value was missing so a decision cannot be made
The Condition element is a set of propositional formulaewhich is evaluated to either True False or Indeterminate Anempty Condition or an empty Target is always evaluated toTrue The evaluation of a Rule element is either applicablenot applicable or Indeterminate An applicable Rule has effecteither deny or permit Finally the evaluation of Policy andPolicySet elements is based on a combining algorithm ofwhich the result can be either applicable with its effect eitherdeny or permit not applicable or indeterminate
In this paper we refer to the formal XACML elementsevaluation developed in [29] In this work the authors usea three-valued logic represented by the three symbols (⊤ perp 119868) that correspond to XACML elements evaluation Table 1depicts the mapping between these three logic values andXACML elements evaluation
In order to distinguish either an applicable policy per-mit access or deny it this three-valued logic is extendedto a multivalued logic represented by the set 1198816 = perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 where the subscript d denotes Deny thesubscript p denotes Permit and the subscript dp denotesDeny Permit
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 3
organizations using only RBAC model and excludes othermodels
Policies in these works will be defined in the same wayfor all collaborating organizations Access requests will behomogeneous with enforcement mechanisms of the collab-orating organizations Meanwhile adopting a new accesscontrol model requires rebuilding the whole access controlsystem of collaborating organizations which is impracticaland sometimes refused by organizations
22 Case 2 Solutions to Control Access across OrganizationsAdopting the Same Access Control Model Many works haveproposed solutions for access control in cross-organizationalcollaboration where all organizations adopt the same model(ABAC or RBAC are the most used) While reviewing themost interesting contributions we have concluded that twomain architectures are proposed centralized architecture anddistributed architecture
221 Centralized Architecture The work [8] proposes acentralized architecture for access control across organiza-tions where each collaborating organization defines policiesassociated to their shared resources Then these policiesare managed by a coordination organization depending oneach collaboration incident and enforced by centralizedcomponents which bases on ABAC model
Authors in [9] propose a Multiple-Policy supportedAttribute-Based Access Control model (MPABAC) with acentralized architecture This model extends the traditionalABAC model by providing cross-domain authentication andauthorization They propose a priority description to com-bine policies among multiple domains and adopt a hierarchi-cal structure for policies enforcement
Authors in [19] address the issues of combining multipleXACML policies in cross-organizational collaboration Theypresent a policy combination architecture that consists ofclassifying the rules based on attribute constraints in eachpolicy of collaborative organizations and then reduce therules of the corresponding classes to one with the sameattribute constraints The reduced rules are then combinedinto a new global policy by choosing the appropriate rulecombining algorithm
This kind of contributions proposed centralized solu-tions for access control in cross-organizational collaborationassuming that all collaborating organizations are using thesame access control model So they try to find a way to com-bine access control policies of collaborating organizations orto combine access control decisions
222 Distributed Architecture The work [10] proposes apolicy distribution and synchronization schema for an IoTenvironment It is based on virtual channels technique for thepropagation and synchronization of policies across differentdomains in real-time The paper presents a mechanism todynamically enforce and propagate policies across heteroge-neous domains However it does not consider the hetero-geneity of the policies themselves which can be expresseddifferent ways according to each domain It considers only
ABAC model and assumes that no heterogeneity exists inpolicy definitions among different organizations
Authors in [11] proposed a distributed access controlarchitecture to address authorization issues across multipleclouds The architecture is based on service-level agreementSLA component to allow peer to peer interoperation SLAperforms role mapping and evaluates policy constraintsdefined in a mediated SLA policy This mediated policyis defined using RBAC XML-based declaration Authorspropose a solution for interoperability in multiple cloudscollaboration assuming all clouds are adopting the sameaccess control model RBAC
Authors in [20] adapt and implement RBAC for a mul-tidomain grid access control Their approach includes anarchitecture for role mapping cross-domain based on roleranking mechanism Authors consider only RBACAddition-ally this approach is not suitable for fine-grained authoriza-tion
Authors in [21] address access control in dynamic cross-enterprise collaborations by proposing a framework forattribute and policy reconciliation where attribute defini-tions or their interpretations are not standardizedThe frame-work externalizes domain knowledge in order to dynamicallyinfer attribute relationships during the evaluation of autho-rization decisions Authors in this paper address the inter-operability challenge for access control in cross-enterprisecollaborations but they only consider ABAC model
Even though these works give interesting solutions tomanage access control in cross-organizations collaborationthey do not consider heterogeneity in access control modelsadopted by collaborating organizations
23 Case 3 Approaches Tackling the Interoperability betweenHeterogeneous Models An interesting work [22] proposedan ontological approach to deal with the interoperabilitybetween heterogeneous access control models by matchingdifferent ontologies that describe the diverse access controlmodels of the interconnected organizations Yet authorsfocus on access control for cloud data storage when integrat-ing heterogeneous organizations which make it useless in across-organizational collaboration with segregated systems
Authors in [12] address the heterogeneity problem ofaccess control models across collaborating organizationsThey proposed an equivalent based access collaborationmodel EABC to protect shared resources This model coversmultiple domains that are adopting different access controlmodels and is based on defining equivalent access whichinvolves entity mapping and entity linking relationshipsThey propose a formal definition of policy mapping acrossorganizations Unfortunately they do not give any detailsabout mapping process
Reference [13] proposed an enforcement architecture thatevaluates the possibility of potential cross-domain policydeployment through model-driven mapping and translationusing ontology-based mapping and query-based mappingThe paper presented a solution similar to ours Meanwhileit focuses on defined logical models representing commonoperation rules to ensure the semantic mapping Howevereach logical model is defined by domain administrators
4 Security and Communication Networks
RBAC-Policy Store
Requestee
ABAC-Policy Store
Requestor
Access Control Mechanism in the Consumer Organization
(ABAC Model)
Access Control Mechanismin the Provider Organization
(RBAC Model)
RequestPEP
PDP
C Policy
PEP
PDP
PAPPAP
Policy mapping
Policy mapping
Generic XACML Policy
Figure 1 Architecture of policy mapping in cross-organizational collaboration
which can generate heterogeneity in logical models them-selves
The paper [14] analyzed the common knowledge of accesscontrol models and proposed an ontology-based modelwhich can describe different access control modelsThisworkgives a formal description of access control ontologies andproposes a connection algorithm which is based on accessontology However neither details about the connectionalgorithm nor the mechanism of mapping between organi-zationsrsquo policies are provided giving that each collaboratingorganization adopts its own access control mechanism
These evoked contributions tackle the problem of accesscontrol in cross-organizational collaboration where eachcollaborating organization adopts a different access controlmodel Unfortunately none of them gives a complete solutionusing syntactic and semantic transformations
This motivates us to come up with a solution character-ized by
(1) Respect of legacy systems
(2) Automatic policy mapping between collaboratingorganizations based on syntactic and semantic trans-formations
(3) Tackling the heterogeneity in access control models
3 Our Proposed Mechanism of AutomaticMapping between Heterogeneous Models
Our current contribution aims to suggest a solution forAccess Control in Cross-Organizational coLLABoration(ACCOLLAB) that respects legacy systems of each organi-zation in the collaboration and aims to enable the enforce-ment of providersrsquo policies in the consumersrsquo organizationsFigure 1 shows an example of two collaborating organizationsusing heterogeneous access control systems The providerorganization that offers a requestee (eg service resourcedata ) defines a policy using RBAC model and enforces
access control using an adequate mechanism So the con-sumer organization that uses ABAC model and enforcesaccess control using a different mechanism should be ableto read providerrsquos policy and enforces it using its own accesscontrol mechanism Thus we propose a mechanism forautomatic policy mapping between organizations adoptingheterogeneous access control models
The automatic policy mapping involves two transforma-tions syntactic transformations that concern the form ofthe policy which is our focus in this paper and semanticcorrespondences we tackled in the previous contribution[16] Where we relied on a generic representation of accesscontrol concepts and proposed an ontology-based semanticmapping
Thus we assume in this paper that every single con-straint in an access control policy expressed in an accesscontrolmodel has a semantic corresponding constraint in anyother model and we focus on automatic mapping betweenmodels in term of policy definition
To ensure an effective mapping we use XACML as anintermediate policy definition language for mapping Themotivation behind this choice is that XACML can be usedto implement any access control model and that a number ofXACML profiles are already defined
Figure 2 depicts the global architecture of the mappingHence to be able to map from a policy written according toa particular model to another model (eg RBAC model toABACmodel) we resort to XACML profiles as an intermedi-ate language So we define a high level syntax of XACML thatwe call Generic-XACML (detailed in Section 33) From thissyntax we can switch to any XACML profile and thereafterit will be translated to the target policy language which isspecific to the model
Our solution is distributed but unlike existing distributedsolutions [10 11 20 21] we consider heterogeneous exist-ing access control systems adopting heterogeneous models(ABACRBACUCON ) Our solutionwill be implementedas an additional layer on the top of existing access control
Security and Communication Networks 5
Translation tofrom XACML profile
Unifyingcustomizing the XACML Syntax
Policy in XACML profile
for ABAC
Policy in XACML profile
for UCON
Policy in ABAC
Policy in XACML profile
for RBAC
Policy in GenericXACML
Policy in UCON
Policy in RBAC
Figure 2 Mechanism of policy mapping between heterogeneous models
systems existing systems will not be changed only policieswill be automatically translated
In the next subsections we give an overview of XACMLand XACML profiles Then we give a definition of ourgeneric-XACML language
31 XACML Overview Recall that XACML (eXtensibleAccess Control Markup Language) [23] is a standardizedaccess control policy and decision language based on XMLThe core of XACML defines policies by hierarchical compo-nents The root element is the PolicySet it contains Policyorand other PolicySet elements Policy element contains a setof one ormore Rule elements A Rule element contains a con-dition that is evaluated to either True or False A Rule elementrepresents a single authorization or prohibition dependingon its effect which is either Permit or Deny XACMLprovides Combining Algorithms that operate to combinedecisions or effects of multiple Policy or Rule elements into asingle decision via a Policy Combining Algorithm for Policyelements and via a Rule Combining Algorithm for Ruleelements
Rule Policy and PolicySet elements include a Targetelement to specify their applicability to the access controlrequest and optionally an obligationExpressions element oran adviceExpressions element to define obligations or advicesrespectively The Target element may be empty or a con-junction of a disjunction (AnyOf elements) of a conjunction(AllOf element) of Subject Resource Action andor Envi-ronment conditions expressed as Match elements Subject
Resource Action and Environment are the four attributecategories defined by XACML
32 XACML Profiles
321 XACML-RBAC Profile [24] defines a profile to meetthe requirements for RBAC The RBAC profile of XACML(XACML-RBAC) expresses a way to use the standardXACML within the RBACmodel
In this profile each Role is defined by a PolicySet ele-ment It contains a Target element that makes the PolicySetapplicable only to Subjects having the XACML Attributeassociated with the given Role The Target element does notrestrict the Resource Action or Environment This RolePolicySet element contains a unique PolicySet that defines theactual Permissionsassociated with the Role Such a PolicySetcontains PolicySet Policy and Rule elements that describe theresources and actions that subjects are permitted to accessalong with any further environmental conditions such astime of day A given Permission PolicySet may also containreferences to Permission PolicySet elements associated withother Roles (hierarchy)
The Target element of a Permission PolicySet and itsincluded or referenced PolicySet Policy and Rule elementsmust not limit the subjects to which the PolicySet is applica-ble
322 XACML-UCONProfile [25] defines aprofile (XACML-UCON) for the use of XACML in expressing policies that
6 Security and Communication Networks
would ensure usage control as defined in UCON model Inthis profile Authorizations are specified by XACML Subjectand XACML Resource in the Target element Obligationsare specified by XACML Condition Conditions (the UCONconcept) are specified by XACML Environment Rights arespecified by XACML Action Continuity of usage decisionwill be expressed in the XACMLObligation within the Policyelement It would contain an AttributeAssignment whichwill specify the time interval between continuous policy re-evaluations
Mutable Attributes are specified within XACML Obli-gations as XACML AttributeAssignment The AttributeId iswhere the name of the mutable attribute is specified
323 Other XACML Profiles Other works like [26ndash28]define XACML profiles for Access Control List (ACL) andABAC models In the same way other profiles for othermodels can be developed since XACML offers the possibilityto express any concept as attributes Thus we can map anyexisting policy into the XACML policy language The profilewill specify the particularity of the model by specifying
(i) The correlation between the model concepts and thecategories of attributes
(ii) The categories of attributes to put in for some Targetelements
(iii) The nesting of the XACML elements (specify thenumber of children of some elements)
(iv) The combining algorithms that are used
33 Generic-XACML When organizations engage in collab-oration access control policies related to the shared Reques-tees (services or resources ) are translated to the XACMLprofile for the model adopted by the provider organizationThen these policies are automatically mapped to Generic-XACML and shared jointly with the requestees Later thesepolicies are automatically mapped to the XACML profile forthe model adopted by the consumer organization and finallytranslated to the consumer model So Generic-XACML isa high level language that serves as intermediate for themapping Generic-XACML is inspired from XACML suchas it matches the XACML specifications for policy definitionand restricts the core XACML by the following constraints
(i) It contains a root PolicySet element with an emptyTarget
(ii) The root PolicySet contains exactly one nested Policyelement with an empty Target as well
(iii) The Policy element contains a set of nested Ruleelements and optionally a set of Obligation andorAdvice elements
Figure 3 depicts a pseudo code of the structure of aGeneric-XACML policy
In the next Sections 4 and 5 we show in more details howtomap between Generic-XACML and XACML profiles Andwe prove the equivalence between policies
Figure 3 A pseudo code of the structure of a Generic-XACMLpolicy
Table 1 Possible values of XACML elements
Match andTarget value
Conditionvalue
Rule Policyand PolicySet
value
⊤ Match TrueApplicable
(either permitor deny
perp Not match False Not applicable119868 Indeterminate Indeterminate Indeterminate
34 Policy Decision Evaluation for XACML and Generic-XACML The Rule evaluation depends on the Target eval-uation and the Condition evaluation [23] The Target valuecan be either match not match or indeterminate The valueindeterminate can be obtained if an error occurred or somerequired value was missing so a decision cannot be made
The Condition element is a set of propositional formulaewhich is evaluated to either True False or Indeterminate Anempty Condition or an empty Target is always evaluated toTrue The evaluation of a Rule element is either applicablenot applicable or Indeterminate An applicable Rule has effecteither deny or permit Finally the evaluation of Policy andPolicySet elements is based on a combining algorithm ofwhich the result can be either applicable with its effect eitherdeny or permit not applicable or indeterminate
In this paper we refer to the formal XACML elementsevaluation developed in [29] In this work the authors usea three-valued logic represented by the three symbols (⊤ perp 119868) that correspond to XACML elements evaluation Table 1depicts the mapping between these three logic values andXACML elements evaluation
In order to distinguish either an applicable policy per-mit access or deny it this three-valued logic is extendedto a multivalued logic represented by the set 1198816 = perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 where the subscript d denotes Deny thesubscript p denotes Permit and the subscript dp denotesDeny Permit
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Security and Communication Networks
RBAC-Policy Store
Requestee
ABAC-Policy Store
Requestor
Access Control Mechanism in the Consumer Organization
(ABAC Model)
Access Control Mechanismin the Provider Organization
(RBAC Model)
RequestPEP
PDP
C Policy
PEP
PDP
PAPPAP
Policy mapping
Policy mapping
Generic XACML Policy
Figure 1 Architecture of policy mapping in cross-organizational collaboration
which can generate heterogeneity in logical models them-selves
The paper [14] analyzed the common knowledge of accesscontrol models and proposed an ontology-based modelwhich can describe different access control modelsThisworkgives a formal description of access control ontologies andproposes a connection algorithm which is based on accessontology However neither details about the connectionalgorithm nor the mechanism of mapping between organi-zationsrsquo policies are provided giving that each collaboratingorganization adopts its own access control mechanism
These evoked contributions tackle the problem of accesscontrol in cross-organizational collaboration where eachcollaborating organization adopts a different access controlmodel Unfortunately none of them gives a complete solutionusing syntactic and semantic transformations
This motivates us to come up with a solution character-ized by
(1) Respect of legacy systems
(2) Automatic policy mapping between collaboratingorganizations based on syntactic and semantic trans-formations
(3) Tackling the heterogeneity in access control models
3 Our Proposed Mechanism of AutomaticMapping between Heterogeneous Models
Our current contribution aims to suggest a solution forAccess Control in Cross-Organizational coLLABoration(ACCOLLAB) that respects legacy systems of each organi-zation in the collaboration and aims to enable the enforce-ment of providersrsquo policies in the consumersrsquo organizationsFigure 1 shows an example of two collaborating organizationsusing heterogeneous access control systems The providerorganization that offers a requestee (eg service resourcedata ) defines a policy using RBAC model and enforces
access control using an adequate mechanism So the con-sumer organization that uses ABAC model and enforcesaccess control using a different mechanism should be ableto read providerrsquos policy and enforces it using its own accesscontrol mechanism Thus we propose a mechanism forautomatic policy mapping between organizations adoptingheterogeneous access control models
The automatic policy mapping involves two transforma-tions syntactic transformations that concern the form ofthe policy which is our focus in this paper and semanticcorrespondences we tackled in the previous contribution[16] Where we relied on a generic representation of accesscontrol concepts and proposed an ontology-based semanticmapping
Thus we assume in this paper that every single con-straint in an access control policy expressed in an accesscontrolmodel has a semantic corresponding constraint in anyother model and we focus on automatic mapping betweenmodels in term of policy definition
To ensure an effective mapping we use XACML as anintermediate policy definition language for mapping Themotivation behind this choice is that XACML can be usedto implement any access control model and that a number ofXACML profiles are already defined
Figure 2 depicts the global architecture of the mappingHence to be able to map from a policy written according toa particular model to another model (eg RBAC model toABACmodel) we resort to XACML profiles as an intermedi-ate language So we define a high level syntax of XACML thatwe call Generic-XACML (detailed in Section 33) From thissyntax we can switch to any XACML profile and thereafterit will be translated to the target policy language which isspecific to the model
Our solution is distributed but unlike existing distributedsolutions [10 11 20 21] we consider heterogeneous exist-ing access control systems adopting heterogeneous models(ABACRBACUCON ) Our solutionwill be implementedas an additional layer on the top of existing access control
Security and Communication Networks 5
Translation tofrom XACML profile
Unifyingcustomizing the XACML Syntax
Policy in XACML profile
for ABAC
Policy in XACML profile
for UCON
Policy in ABAC
Policy in XACML profile
for RBAC
Policy in GenericXACML
Policy in UCON
Policy in RBAC
Figure 2 Mechanism of policy mapping between heterogeneous models
systems existing systems will not be changed only policieswill be automatically translated
In the next subsections we give an overview of XACMLand XACML profiles Then we give a definition of ourgeneric-XACML language
31 XACML Overview Recall that XACML (eXtensibleAccess Control Markup Language) [23] is a standardizedaccess control policy and decision language based on XMLThe core of XACML defines policies by hierarchical compo-nents The root element is the PolicySet it contains Policyorand other PolicySet elements Policy element contains a setof one ormore Rule elements A Rule element contains a con-dition that is evaluated to either True or False A Rule elementrepresents a single authorization or prohibition dependingon its effect which is either Permit or Deny XACMLprovides Combining Algorithms that operate to combinedecisions or effects of multiple Policy or Rule elements into asingle decision via a Policy Combining Algorithm for Policyelements and via a Rule Combining Algorithm for Ruleelements
Rule Policy and PolicySet elements include a Targetelement to specify their applicability to the access controlrequest and optionally an obligationExpressions element oran adviceExpressions element to define obligations or advicesrespectively The Target element may be empty or a con-junction of a disjunction (AnyOf elements) of a conjunction(AllOf element) of Subject Resource Action andor Envi-ronment conditions expressed as Match elements Subject
Resource Action and Environment are the four attributecategories defined by XACML
32 XACML Profiles
321 XACML-RBAC Profile [24] defines a profile to meetthe requirements for RBAC The RBAC profile of XACML(XACML-RBAC) expresses a way to use the standardXACML within the RBACmodel
In this profile each Role is defined by a PolicySet ele-ment It contains a Target element that makes the PolicySetapplicable only to Subjects having the XACML Attributeassociated with the given Role The Target element does notrestrict the Resource Action or Environment This RolePolicySet element contains a unique PolicySet that defines theactual Permissionsassociated with the Role Such a PolicySetcontains PolicySet Policy and Rule elements that describe theresources and actions that subjects are permitted to accessalong with any further environmental conditions such astime of day A given Permission PolicySet may also containreferences to Permission PolicySet elements associated withother Roles (hierarchy)
The Target element of a Permission PolicySet and itsincluded or referenced PolicySet Policy and Rule elementsmust not limit the subjects to which the PolicySet is applica-ble
322 XACML-UCONProfile [25] defines aprofile (XACML-UCON) for the use of XACML in expressing policies that
6 Security and Communication Networks
would ensure usage control as defined in UCON model Inthis profile Authorizations are specified by XACML Subjectand XACML Resource in the Target element Obligationsare specified by XACML Condition Conditions (the UCONconcept) are specified by XACML Environment Rights arespecified by XACML Action Continuity of usage decisionwill be expressed in the XACMLObligation within the Policyelement It would contain an AttributeAssignment whichwill specify the time interval between continuous policy re-evaluations
Mutable Attributes are specified within XACML Obli-gations as XACML AttributeAssignment The AttributeId iswhere the name of the mutable attribute is specified
323 Other XACML Profiles Other works like [26ndash28]define XACML profiles for Access Control List (ACL) andABAC models In the same way other profiles for othermodels can be developed since XACML offers the possibilityto express any concept as attributes Thus we can map anyexisting policy into the XACML policy language The profilewill specify the particularity of the model by specifying
(i) The correlation between the model concepts and thecategories of attributes
(ii) The categories of attributes to put in for some Targetelements
(iii) The nesting of the XACML elements (specify thenumber of children of some elements)
(iv) The combining algorithms that are used
33 Generic-XACML When organizations engage in collab-oration access control policies related to the shared Reques-tees (services or resources ) are translated to the XACMLprofile for the model adopted by the provider organizationThen these policies are automatically mapped to Generic-XACML and shared jointly with the requestees Later thesepolicies are automatically mapped to the XACML profile forthe model adopted by the consumer organization and finallytranslated to the consumer model So Generic-XACML isa high level language that serves as intermediate for themapping Generic-XACML is inspired from XACML suchas it matches the XACML specifications for policy definitionand restricts the core XACML by the following constraints
(i) It contains a root PolicySet element with an emptyTarget
(ii) The root PolicySet contains exactly one nested Policyelement with an empty Target as well
(iii) The Policy element contains a set of nested Ruleelements and optionally a set of Obligation andorAdvice elements
Figure 3 depicts a pseudo code of the structure of aGeneric-XACML policy
In the next Sections 4 and 5 we show in more details howtomap between Generic-XACML and XACML profiles Andwe prove the equivalence between policies
Figure 3 A pseudo code of the structure of a Generic-XACMLpolicy
Table 1 Possible values of XACML elements
Match andTarget value
Conditionvalue
Rule Policyand PolicySet
value
⊤ Match TrueApplicable
(either permitor deny
perp Not match False Not applicable119868 Indeterminate Indeterminate Indeterminate
34 Policy Decision Evaluation for XACML and Generic-XACML The Rule evaluation depends on the Target eval-uation and the Condition evaluation [23] The Target valuecan be either match not match or indeterminate The valueindeterminate can be obtained if an error occurred or somerequired value was missing so a decision cannot be made
The Condition element is a set of propositional formulaewhich is evaluated to either True False or Indeterminate Anempty Condition or an empty Target is always evaluated toTrue The evaluation of a Rule element is either applicablenot applicable or Indeterminate An applicable Rule has effecteither deny or permit Finally the evaluation of Policy andPolicySet elements is based on a combining algorithm ofwhich the result can be either applicable with its effect eitherdeny or permit not applicable or indeterminate
In this paper we refer to the formal XACML elementsevaluation developed in [29] In this work the authors usea three-valued logic represented by the three symbols (⊤ perp 119868) that correspond to XACML elements evaluation Table 1depicts the mapping between these three logic values andXACML elements evaluation
In order to distinguish either an applicable policy per-mit access or deny it this three-valued logic is extendedto a multivalued logic represented by the set 1198816 = perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 where the subscript d denotes Deny thesubscript p denotes Permit and the subscript dp denotesDeny Permit
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 5
Translation tofrom XACML profile
Unifyingcustomizing the XACML Syntax
Policy in XACML profile
for ABAC
Policy in XACML profile
for UCON
Policy in ABAC
Policy in XACML profile
for RBAC
Policy in GenericXACML
Policy in UCON
Policy in RBAC
Figure 2 Mechanism of policy mapping between heterogeneous models
systems existing systems will not be changed only policieswill be automatically translated
In the next subsections we give an overview of XACMLand XACML profiles Then we give a definition of ourgeneric-XACML language
31 XACML Overview Recall that XACML (eXtensibleAccess Control Markup Language) [23] is a standardizedaccess control policy and decision language based on XMLThe core of XACML defines policies by hierarchical compo-nents The root element is the PolicySet it contains Policyorand other PolicySet elements Policy element contains a setof one ormore Rule elements A Rule element contains a con-dition that is evaluated to either True or False A Rule elementrepresents a single authorization or prohibition dependingon its effect which is either Permit or Deny XACMLprovides Combining Algorithms that operate to combinedecisions or effects of multiple Policy or Rule elements into asingle decision via a Policy Combining Algorithm for Policyelements and via a Rule Combining Algorithm for Ruleelements
Rule Policy and PolicySet elements include a Targetelement to specify their applicability to the access controlrequest and optionally an obligationExpressions element oran adviceExpressions element to define obligations or advicesrespectively The Target element may be empty or a con-junction of a disjunction (AnyOf elements) of a conjunction(AllOf element) of Subject Resource Action andor Envi-ronment conditions expressed as Match elements Subject
Resource Action and Environment are the four attributecategories defined by XACML
32 XACML Profiles
321 XACML-RBAC Profile [24] defines a profile to meetthe requirements for RBAC The RBAC profile of XACML(XACML-RBAC) expresses a way to use the standardXACML within the RBACmodel
In this profile each Role is defined by a PolicySet ele-ment It contains a Target element that makes the PolicySetapplicable only to Subjects having the XACML Attributeassociated with the given Role The Target element does notrestrict the Resource Action or Environment This RolePolicySet element contains a unique PolicySet that defines theactual Permissionsassociated with the Role Such a PolicySetcontains PolicySet Policy and Rule elements that describe theresources and actions that subjects are permitted to accessalong with any further environmental conditions such astime of day A given Permission PolicySet may also containreferences to Permission PolicySet elements associated withother Roles (hierarchy)
The Target element of a Permission PolicySet and itsincluded or referenced PolicySet Policy and Rule elementsmust not limit the subjects to which the PolicySet is applica-ble
322 XACML-UCONProfile [25] defines aprofile (XACML-UCON) for the use of XACML in expressing policies that
6 Security and Communication Networks
would ensure usage control as defined in UCON model Inthis profile Authorizations are specified by XACML Subjectand XACML Resource in the Target element Obligationsare specified by XACML Condition Conditions (the UCONconcept) are specified by XACML Environment Rights arespecified by XACML Action Continuity of usage decisionwill be expressed in the XACMLObligation within the Policyelement It would contain an AttributeAssignment whichwill specify the time interval between continuous policy re-evaluations
Mutable Attributes are specified within XACML Obli-gations as XACML AttributeAssignment The AttributeId iswhere the name of the mutable attribute is specified
323 Other XACML Profiles Other works like [26ndash28]define XACML profiles for Access Control List (ACL) andABAC models In the same way other profiles for othermodels can be developed since XACML offers the possibilityto express any concept as attributes Thus we can map anyexisting policy into the XACML policy language The profilewill specify the particularity of the model by specifying
(i) The correlation between the model concepts and thecategories of attributes
(ii) The categories of attributes to put in for some Targetelements
(iii) The nesting of the XACML elements (specify thenumber of children of some elements)
(iv) The combining algorithms that are used
33 Generic-XACML When organizations engage in collab-oration access control policies related to the shared Reques-tees (services or resources ) are translated to the XACMLprofile for the model adopted by the provider organizationThen these policies are automatically mapped to Generic-XACML and shared jointly with the requestees Later thesepolicies are automatically mapped to the XACML profile forthe model adopted by the consumer organization and finallytranslated to the consumer model So Generic-XACML isa high level language that serves as intermediate for themapping Generic-XACML is inspired from XACML suchas it matches the XACML specifications for policy definitionand restricts the core XACML by the following constraints
(i) It contains a root PolicySet element with an emptyTarget
(ii) The root PolicySet contains exactly one nested Policyelement with an empty Target as well
(iii) The Policy element contains a set of nested Ruleelements and optionally a set of Obligation andorAdvice elements
Figure 3 depicts a pseudo code of the structure of aGeneric-XACML policy
In the next Sections 4 and 5 we show in more details howtomap between Generic-XACML and XACML profiles Andwe prove the equivalence between policies
Figure 3 A pseudo code of the structure of a Generic-XACMLpolicy
Table 1 Possible values of XACML elements
Match andTarget value
Conditionvalue
Rule Policyand PolicySet
value
⊤ Match TrueApplicable
(either permitor deny
perp Not match False Not applicable119868 Indeterminate Indeterminate Indeterminate
34 Policy Decision Evaluation for XACML and Generic-XACML The Rule evaluation depends on the Target eval-uation and the Condition evaluation [23] The Target valuecan be either match not match or indeterminate The valueindeterminate can be obtained if an error occurred or somerequired value was missing so a decision cannot be made
The Condition element is a set of propositional formulaewhich is evaluated to either True False or Indeterminate Anempty Condition or an empty Target is always evaluated toTrue The evaluation of a Rule element is either applicablenot applicable or Indeterminate An applicable Rule has effecteither deny or permit Finally the evaluation of Policy andPolicySet elements is based on a combining algorithm ofwhich the result can be either applicable with its effect eitherdeny or permit not applicable or indeterminate
In this paper we refer to the formal XACML elementsevaluation developed in [29] In this work the authors usea three-valued logic represented by the three symbols (⊤ perp 119868) that correspond to XACML elements evaluation Table 1depicts the mapping between these three logic values andXACML elements evaluation
In order to distinguish either an applicable policy per-mit access or deny it this three-valued logic is extendedto a multivalued logic represented by the set 1198816 = perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 where the subscript d denotes Deny thesubscript p denotes Permit and the subscript dp denotesDeny Permit
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Security and Communication Networks
would ensure usage control as defined in UCON model Inthis profile Authorizations are specified by XACML Subjectand XACML Resource in the Target element Obligationsare specified by XACML Condition Conditions (the UCONconcept) are specified by XACML Environment Rights arespecified by XACML Action Continuity of usage decisionwill be expressed in the XACMLObligation within the Policyelement It would contain an AttributeAssignment whichwill specify the time interval between continuous policy re-evaluations
Mutable Attributes are specified within XACML Obli-gations as XACML AttributeAssignment The AttributeId iswhere the name of the mutable attribute is specified
323 Other XACML Profiles Other works like [26ndash28]define XACML profiles for Access Control List (ACL) andABAC models In the same way other profiles for othermodels can be developed since XACML offers the possibilityto express any concept as attributes Thus we can map anyexisting policy into the XACML policy language The profilewill specify the particularity of the model by specifying
(i) The correlation between the model concepts and thecategories of attributes
(ii) The categories of attributes to put in for some Targetelements
(iii) The nesting of the XACML elements (specify thenumber of children of some elements)
(iv) The combining algorithms that are used
33 Generic-XACML When organizations engage in collab-oration access control policies related to the shared Reques-tees (services or resources ) are translated to the XACMLprofile for the model adopted by the provider organizationThen these policies are automatically mapped to Generic-XACML and shared jointly with the requestees Later thesepolicies are automatically mapped to the XACML profile forthe model adopted by the consumer organization and finallytranslated to the consumer model So Generic-XACML isa high level language that serves as intermediate for themapping Generic-XACML is inspired from XACML suchas it matches the XACML specifications for policy definitionand restricts the core XACML by the following constraints
(i) It contains a root PolicySet element with an emptyTarget
(ii) The root PolicySet contains exactly one nested Policyelement with an empty Target as well
(iii) The Policy element contains a set of nested Ruleelements and optionally a set of Obligation andorAdvice elements
Figure 3 depicts a pseudo code of the structure of aGeneric-XACML policy
In the next Sections 4 and 5 we show in more details howtomap between Generic-XACML and XACML profiles Andwe prove the equivalence between policies
Figure 3 A pseudo code of the structure of a Generic-XACMLpolicy
Table 1 Possible values of XACML elements
Match andTarget value
Conditionvalue
Rule Policyand PolicySet
value
⊤ Match TrueApplicable
(either permitor deny
perp Not match False Not applicable119868 Indeterminate Indeterminate Indeterminate
34 Policy Decision Evaluation for XACML and Generic-XACML The Rule evaluation depends on the Target eval-uation and the Condition evaluation [23] The Target valuecan be either match not match or indeterminate The valueindeterminate can be obtained if an error occurred or somerequired value was missing so a decision cannot be made
The Condition element is a set of propositional formulaewhich is evaluated to either True False or Indeterminate Anempty Condition or an empty Target is always evaluated toTrue The evaluation of a Rule element is either applicablenot applicable or Indeterminate An applicable Rule has effecteither deny or permit Finally the evaluation of Policy andPolicySet elements is based on a combining algorithm ofwhich the result can be either applicable with its effect eitherdeny or permit not applicable or indeterminate
In this paper we refer to the formal XACML elementsevaluation developed in [29] In this work the authors usea three-valued logic represented by the three symbols (⊤ perp 119868) that correspond to XACML elements evaluation Table 1depicts the mapping between these three logic values andXACML elements evaluation
In order to distinguish either an applicable policy per-mit access or deny it this three-valued logic is extendedto a multivalued logic represented by the set 1198816 = perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 where the subscript d denotes Deny thesubscript p denotes Permit and the subscript dp denotesDeny Permit
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 7
Input XACML profile documentOutput Generic-XACML documentRequire unified combining algorithmCreate PolicySet element with empty TargetCreate Policy element with empty TargetParse the XACML documentforall PolicySet element do
forall Policy element doforall Rule element do
Combine Rule Target with current policy and PolicySet TargetsCombine Rule obligationExpressions with current policy and PolicySet obligationExpressionsCombine Rule AdviceExpressions with current policy and PolicySet Targets AdviceExpressionsInsert current Rule in the Generic-XACML document
Return Generic-XACML document
Algorithm 1 Mapping from one XACML profile to Generic-XACML
4 Mapping from XACMLProfiles to the Generic-XACML
In this section we show that any policy written in an XACMLprofile can be mapped into our generic language We explainhow to proceed in order to map to the Generic-XACMLwithout altering the logic of the policy and its decisionevaluation The following are steps of transformation of theoriginal policy written in an XACML profile
Step 1 Unifying the combining algorithms (in our study wefocus on case where we have the same combining algorithmin all Policy and PolicySet elements)
Step 2 Nesting the Target of the Policy and PolicySet ele-ments into their composite Rule elements and combiningthem with the Rule Target so that we obtain all Policy andPolicySet elements with an empty Target
Step 3 Nesting of all ObligationExpression and AdviceEx-pression elements of the Policy and PolicySet elements intotheir composite Rule elements by inserting them into theObligationExpressions element or into the AdviceExpres-sions element of the Rule
Step 4 If a PolicySet is nested into another PolicySet itsTarget is empty and its combining algorithm is the same as thecontainer PolicySet then it will be eliminated and substitutedby its content
Step 5 In order to obtain only one Policy element wesubstitute all Policy elements by one Policy element thatcontains the content of all nested Rules together (they musthave the same combining algorithm and an empty Target)
These steps can be carried out through Algorithm 1 thatallows mapping from any XACML document to a Generic-XACML document In the next subsections we prove thatthese transformations do not affect the decision evaluationof the policy
Table 2 Rules truth table
119879 119879119894 119862119894 119879 and 119879119894 119877119894 1198771198941015840
⊤ minus minus 119879119894 minus 119877119894119868 ⊤ 119900119903 119868 ⊤ 119900119903 119868 119868 ⊤ 119900119903 119868 119868119868 perp minus perp perp perp119868 minus perp minus perp perpperp minus minus perp perp perp
41 Unifying the Combining Algorithms To carry out theabove transformations without affecting the global decisionevaluation we should have the same combining algorithm inthe transformed elements However to come up with equiv-alence between combining algorithms we need to extendXACML by proposing other elements To avoid encumberingthis paper we suppose we have the same combining algo-rithm in all Policy and PolicySet elements
42 Policy and PolicySet Elements with an Empty Target Weprove that aTarget of a PolicyPolicySet element can be nestedto their composite RulePolicyPolicySet elements withoutchanging the global decision evaluation So that by repeatingthis transformation we obtain an empty Target for any Policyor PolicySet element
Proof Let119875 = ⟨119879 1198771 119877119899 120579⟩ be a representation of a Policywhere 119879 is the Policy Target 119877119894 = ⟨119864119891119891119890119888119905 119879119894 119862119894⟩ for 119894 isin[1 minus 119899] are 119899 nested Rules with 119879119894 the Rule Target and 119862119894the condition for the Rule 119894 and 120579 is the combining algo-rithm
And let 1198751015840 = ⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩ be the transformedPolicywhere theTarget is empty and1198771198941015840 = ⟨119864119891119891119890119888119905 119879and119879119894119862119894⟩for any 119894 isin [1 minus 119899] are nested Rules with 119879 and 119879119894 is theconjunction of 119879 and 119879119894
We base on the truth tables (Tables 2 and 3) [23] to provethat the evaluation of the Policy 119875 is the same as 1198751015840 [119875] =[1198751015840]we use the notation [] to express the evaluation of a RulePolicy or PolicySet
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Security and Communication Networks
Table 3 Policy truth table
Target Rules Policy⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119877119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119877119894 =perp perpperp minus perp
Case 1 If 119879 = ⊤ then for any 119894 isin [1 minus 119899] 119879 and 119879119894 = 119879119894 so theevaluation the nested Rules does not change [1198771198941015840] = [119877119894] andthen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩] = [⟨⊤ 11987711015840 1198771198991015840 120579⟩] (1)
An empty Target always matchesThen
[1198751015840] = [⟨⊤ 1198771 119877119899 120579⟩] = [119875] (2)
Case 2 If 119879 = 119868 then
Case 21 If exist119894 isin [1 minus 119899] (119879119894 = 119868 Or 119879119894 = ⊤) and (119862119894 = ⊤ or119862119894 = 119868 ) then 119879 and 119879119894 = 119868
Then
[1198771198941015840] = 119868 (3)
(because 119862119894 = ⊤ or 119862119894 = 119868)So
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840])
(4)
(comAlg is the function that evaluates decisions of[11987711015840] [1198771198991015840] according to the combining algorithmused)
So
[1198751015840] = 119868 (5)
(at least one Rule evaluated to Indeterminate)On the other hand [119877119894] = ⊤ or 119868 then [119875] = 119868 (Target = 119868)So
[1198751015840] = [119875] (6)
Case 22 If for any 119894 isin [1 minus 119899] (119879119894 =perp O r 119862119894 =perp) then forany 119894 isin [1 minus 119899] [1198771198941015840] = [119877119894] =perp
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩] =perp(7)
And
[119875] = [⟨119868 1198771 119877119899 120579⟩] =perp= [1198751015840] (8)
Table 4 PolicySet truth table
Target Policy or PolicySet PolicySet⊤ minus Combining Algo119868 exist119894 isin [1 minus 119899] 119875119894 = ⊤ 119900119903 119868 119868119868 forall119894 isin [1 minus 119899] 119875119894 =perp perpperp minus perp
Case 3 If 119879 =perp then for any 119894 isin [1 minus 119899] 119879 and 119879119894 =perpSo for any 119894 isin [1 minus 119899] [1198771198941015840] =perp and [119877119894] =perpThen
[1198751015840] = [⟨119873119906119897119897 11987711015840 1198771198991015840 120579⟩]
= [⟨⊤ 11987711015840 1198771198991015840 120579⟩]
= 119888119900119898119860119897119892 ([11987711015840] [1198771198991015840]) =perp
(9)
And
[119875] = [⟨perp 1198771 119877119899 120579⟩] =perp= [1198751015840] (10)
The same reasoning for a PolicySet composed by a set ofpolicies or PolicySets with the truth Table 4
43 Policy and PolicySet Elements with No Obligation orAdvice Elements Obligation or Advice are operations thatmust be fulfilled in conjunction with an authorization deci-sion (permit or deny authorization decision) Obligation-Expression or AdviceExpression elements may be addedoptionally in a Rule Policy or PolicySet elements
Obligation and Advice do not affect the access decisionbut they are fulfilled when the access decision is equal tothe value specified in the FulfillOn attribute for Obligationelement and AppliesTo attribute for Advice element
So since Obligation and Advice do not affect the accessdecision we can imbricate them into the nested Rule ele-ments This results a redundancy in ObligationExpressionand AdviceExpression elements but it will be overcome whenmapping to another XACML profile
44 Substitute Nested PolicySet Elements by Their ContentsGeneric-XACML is based on XACML but defines a specificarborescence of the elements It contains a root PolicySet withan empty Target and a nested Policy element that has anempty Target as well and a set of nested Rule elements InSection 42 we have proved that a Target of a PolicyPolicySetcan be nested to their composite RulesPoliciesPolicySetswithout changing the global decision evaluation In thissection we prove that if a PolicySet is nested into anotherPolicySet its Target is empty and its combining algorithm isthe same as the container PolicySet then it can be eliminatedand substituted by its contents as illustrated in Figure 4
Proof Let 119862119875119878 be the Container PolicySet element and119873119875119878119894with 119894 isin [1 minus 119899] be its Nested PolicySet elements Allof container and nested PolicySet elements have an emptyTarget
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 9
Figure 4 Substitute nested PolicySet elements by their contents
119888119900119898119860119897119892 is the function that evaluates a set of decisionsaccording to the combining algorithm used Then the deci-sion evaluation of the 119862119875119878 is
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751198781] [119873119875119878119899]) (11)
And
[119873119875119878119894] = 119888119900119898119860119897119892 ([1198751198941] [119875119894119898119894])
119891119900119903 119886119899119910 119894 isin [1 minus 119899](12)
1198751198941 119875119894119898119894 are nested policies for the PolicySet NPSi and119898119894 is their number
Let us prove that
[119862119875119878] = 119888119900119898119860119897119892 ([11987511] [11987511198981] [1198751198991]
[119875119899119898119899])(13)
We use the multivalued approach presented in [29] wherethey define for each combining algorithm a lattice (1198816 le119862119860)where1198816 is the set perp 119868119889 119868119901 119868119889119901 ⊤119889 ⊤119901 and the orderingle119862119860is defined according to the combining algorithm specifica-tion
So the combining algorithm function applied to a set 119878 of1198816 is the least upper bound the supremum (sup) of 119878
Then
[119862119875119878] = 119904119906119901 ([1198731198751198781] [119873119875119878119899])
= 119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899]))
(14)
If we have the same combining algorithm the same orderingfor every NPSi then
119904119906119901 (119904119906119901 ([11987511] [11987511198981])
119904119906119901 ([1198751198991] [119875119899119898119899])) = 119904119906119901 ([11987511]
[11987511198981] [1198751198991] [119875119899119898119899])
(15)
Then
[119862119875119878]
= 119904119906119901 ([11987511] [11987511198981] [1198751198991] [119875119899119898119899])(16)
So if we eliminate all nested PolicySet elements andsubstitute them by their nested Policy elements the decisionevaluation does not change
45 Merging All Policy Elements into One Policy Now weprove that all nested Rules can be merged into only onePolicy element if all Policy elements have the same combiningalgorithm We show that this transformation does not affectthe decision evaluation of the container PolicySet
Proof Let 119862119875119878 be the Container PolicySet and 119873119875119894 for 119894 isin[1 minus 119899] be the nested Policy elements and 119873119875 the resultingnested Policy All of these elements container PolicySet thenested policies and the resulting Policy have an empty Targetand the same combining algorithm
The evaluations of 119862119875119878119873119875119894 and119873119875 are
[119862119875119878] = 119888119900119898119860119897119892 ([1198731198751] [119873119875119899]) (17)
[119873119875119894] = 119888119900119898119860119897119892([1198771198941] [119877119894119898119894]) for any 119894 isin [1 minus 119899] where1198771198941 119877119894119898119894 are nested Rules for the Policy119873119875119894
[119873119875] = 119888119900119898119860119897119892 ([11987711] [11987711198981] [1198771198991]
[119877119899119898119899])(18)
We prove that
[119862119875119878] = [119873119875] (19)
If we follow the same reasoning as above and we suppose wehave the same combining algorithm for all policies the sameordering we can prove that
[119862119875119878] = 119904119906119901 ([1198731198751] [119873119875119899])
= 119904119906119901 (119904119906119901 ([11987711] [11987711198981])
119904119906119901 ([1198771198991] [119877119899119898119899])) = 119904119906119901 ([11987711]
[11987711198981] [1198771198991] [119877119899119898119899]) = [119873119875]
(20)
5 Mapping from Generic-XACML toXACML Profiles
Once we obtain the Generic-XACML policy we can reform itinto the desirable XACML profile This involves encompass-ing Rules into policies and PolicySets according to the profile
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
10 Security and Communication Networks
Input Generic-XACML documentOutput XACML-RBAC documentCreate a root PolicySet in XACML-RBAC document with an empty TargetFor i=1 to rulesnumber do
Parse Target of rule i in Generic-XACML documentIf Target designate the Subject then
currentValue=value(Subject)Append a role PolicySet with Target designating CurrentValue for the SubjectInsert a Permissions PolicySet with an empty TargetInsert a policy with an empty TargetRoleRules[]= rule iFor j=i+1 to rulesnumber do
Parse Target of rule jIf value(Subject)= currentValue then
RoleRules[]= rule jAlter RoleRules Targets delete constraint about currentValueInsert RoleRules into the policy
Return XACML-RBAC document
Algorithm 2 Mapping from Generic-XACML to XACML-RBAC profile
specifications In this section we describe how to map fromGeneric-XACML to a specific XACMLprofileWe follow twogreat steps
(1) Reproducing a customized policy conform to theprofile specifications
(2) Optimizing the resulting policy
For both steps the sorts of transformations we carry outare as follows
(i) Inserting container Policy or PolicySet elements hav-ing an empty Target element and the same combiningalgorithm as the initial policy
(ii) Moving constraints that are common between thenested elements from their Targets to the Target of thecontainer element
(iii) Moving the ObligationExpression or AdviceExpres-sion elements that are common between the nestedelements to the container element
These transformations do not affect the decision evalua-tion of the global policy as it is proved in the Section 4
51 Conformance to Specific Profile For a generic policy tobe conforming to profile specifications it is transformedand customized by a specific algorithm that depends onthe profile and that differs from one profile to another Forillustration purposes we touch on RBAC and UCON profiles
511 Mapping from Generic-XACML to XACML-RBACProfile To translate a policy from Generic-XACML intoXACML-RBAC profile we follow Algorithm 2
In conformance with XACML-RBAC profile specifica-tions the resulting document will contain a root PolicySetelement with an empty Target On the other side the originaldocument is parsed Then Targets of the Rules are browsed
So for each possible value of the Subject we create a PolicySetelement representing a Role and a nested PolicySet elementwith an empty Target representing the Role permissions Asfor the PolicySet representing the Role the Target will containan imbrication of an AnyOf an AllOf and a Match elementThe latter designates the current value of the Subject Thenall Rules that contain aMatch element that satisfy the currentSubject are selected and inserted in a Policy element nestedinto the PolicySet representing permissions Before rules areinserted their Targets are altered in such a way to eliminatethe Match element that designates the current value of theSubject
Rules containing no Match element that designates aSubject are considered as Rules concerning all SubjectsThen these Rules are inserted into every PolicySet elementsrepresenting a role
Special Case Algorithm 2 consists of factoring Rules intopolicies The factor is a Match element that designates theSubject This is only possible if Targets are logically expressedas conjunction of Match elements If an AnyOf elementcontains more than one AllOf element the Target will beevaluated as a conjunction of disjunction of conjunction ofMatch elements We cannot factorize by Match element Inthis case our algorithm will compare the AnyOf element as awhole rather than comparing only the Match element
512 Mapping from Generic-XACML to XACML-UCONPro-file XACML-UCON profile described in [25] is an imple-mentation for UCONABC model [30] that fulfills XACMLspecifications and categorizes policies into 3 types Autho-rizations oBligations and Conditions The particularity ofUCON is the Continuity of Usage and Mutable Attributesthat are expressed as XACML Obligations within the Policyelement So mapping to UCON profile consists of catego-rizing original Rules into three categories AuthorizationsA oBligations B and Conditions C Then each category is
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 11
Input Generic-XACML documentOutput XACML- UCON documentcreate a root PolicySet in XACML-UCON documentfor i=1 to rulesnumber doparse Target of rule i in Generic-XACML document
if exist any element designating Environment attribute thenif exist obligation specifying the request interval for ongoing control thenonCRules[]=rule i
elsepreCRules[]=rule i
else if exist condition element in rule i thenif exist obligation specifying the request interval for ongoing control thenonBRules[]=rule i
elsepreBRules[]=rule i
elseif exist obligation specifying the request interval for ongoing control thenonARules[]=rule i
elsepreARules[]=rule i
if preARules is not empty theninsert preAPolicyinsert preARules into preAPolicy
if onARules is not empty theninsert onAPolicyinsert onARules into onAPolicy
if preBRules is not empty theninsert preBPolicyinsert preBRules into preBPolicy
if onBRules is not empty theninsert onBPolicyinsert onBRules into onBPolicy
if preCRules is not empty theninsert preCPolicyinsert preCRules into preCPolicy
if onCRules is not empty theninsert onCPolicyinsert onCRules into onCPolicy
return XACML-UCON document
Algorithm 3 Mapping from Generic-XACML to XACML-UCON profile
divided into two subcategories pre- (evaluated only once)and ongoing (Continuous re-evaluation) So the resultingdocument will contain eventually six types of Policy preApreB preC onA onB and onC
The Algorithm 3 shows how to execute the mappingfrom Generic-XACML to XACML-UCON profile Rules ofthe original document are parsed So if a Rule containsat least one element that designates or selects an XACMLEnvironment attribute it will be considered as a ConditionC If it contains an XACML Condition element it will beconsidered as an oBligation B Otherwise it will be consideredas anAuthorizationAOn the other hand if the Rule containsan XACMLObligation element with an AttributeAssignmentelement which specifies the time interval between continuouspolicy re-evaluations theRule is inserted in the resulting doc-ument inside an ongoing Policy onA onB or onC Otherwiseit is inserted inside a pre Policy preA preB or preC
52 Optimizing Policies When mapping from Generic-XACML to any XACML profile the resulting policy couldhave redundancies in Target Advice or Obligation elementsor a large number of Rules in one Policy element whichmakes it costly for the Policy Decision Point in term of timeexecution In this subsection we propose an algorithm tooptimize the resulting policies
This algorithm (Algorithm 4) consists of regroupingRules into policies based on common values of attributesin the Target element Therefore the algorithm iterates overattribute categories The attribute categories and their orderare selected based on the model (eg we follow the orderResource Action then Environment for RBAC model) Sofor each attribute category and for each Policy elementRules are parsed Then if the Rule Target designates currentattribute category its value is compared with attribute cate-gory value of other Rules Thus Rules with equal attribute
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
12 Security and Communication Networks
Input XACML documentForall attribute categories do
Forall Policy elements doevaluate rulesnumber of current policyIf rulesnumber ge 2 then policy with one rule does not need optimizationFor i=1 to rulesnumber do
parse Target of rule iIf Target designates current attribute category then
CurrentValue=value(attribute category)combinedRules[]= rule iFor j=i+1 to rulesnumber do
parse Target of rule jIf value(attribute category)= CurrentValue thencombinedRules[]= rule j
If length(combinedRules) ge 2 thenIf length(combinedRules) = rulesnumber thenalter Target of current Policy elementalter combinedRules Targets
Elsecreate sibling policy with Target designating CurrentValue for attr categoryalter combinedRules Targetsmove combinedRules to the new sibling policy
Algorithm 4 Optimizing policies
category values are combined into a sibling Policy (newPolicyhaving the same parent as the current Policy) Its Target willcontain an imbrication of an AnyOf an AllOf and a MatchelementThe latter designates the current value of the currentcategory of attribute
If a resulting document contains a large number of Policyelements this algorithm can be extended to combine Policyelements into PolicySet elements with the same instructions
Other constraints can be added to the algorithm depend-ing on the profile specifications (eg Target of PolicySetrepresenting a role in RBAC profile designates only Subjectattributes)
Special Case Similarly to Algorithm 2 if an AnyOf elementcontains more than one AllOf element the algorithm willcompare the AnyOf element as a whole rather than compar-ing only the Match element
As for obligations and advices if all Rules within a Policyelement have the same ObligationExpression or the sameAdviceExpression element then this expression is moved tothe parent Policy
6 Conclusion and Future Research
In this paper we propose Access Control in Cross-Or-ganizational coLLABoration (ACCOLLAB) that tackles theproblem of heterogeneity of access control models cross-organizations while respecting the internal access controlmodel of each involved organization in a collaboration
This solution is based on a mechanism for automaticallymapping between policies in different modelsWe consideredthe previously proposed ontology-based semantic mappingprocess to deal with semantic correspondences and focus on
syntactic transformations of the heterogeneous policies topropose a complete solution
This automatic mapping is based on XACML profiles andthe generic languageGeneric-XACMLwehave definedThuswe have given a logic proof for all of the mapping steps
Thus our generic access control model ACCOLLABsolves the heterogeneity problem ensures the interoperabilitycross-organizations andmaintains the privacy of each collab-orating organization
We are working to implement our mapping algorithmsusing the XACML implementation Balana then we aregoing to complete the implementation of the policy mappingarchitecture based on WSO2 servers
Besides that we intend to extend XACML in order tofind equivalence between combining algorithms to makeour proposedmechanism covering heterogeneous combiningalgorithms
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
References
[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 no 2 pp 38ndash47 1996
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 13
[2] R K Thomas and R S Sandhu ldquoTask-based authorizationcontrols (TBAC) a family of models for active and enterprise-oriented authorization managementrdquo in Database Security XIIFIP Advances in Information and Communication Technol-ogy pp 166ndash181 Springer US Boston MA 1998
[3] E Yuan and J Tong ldquoAttributed based access control (ABAC)for web servicesrdquo in Proceedings of the IEEE InternationalConference on Web Services (ICWSrsquo05) pp 561ndash569 IEEE July2005
[4] A A E Kalam R E Baida P Balbiani et al ldquoOrganizationbased access controlrdquo in Proceedings of the 4th IEEE Inter-national Workshop on Policies for Distributed Systems andNetworks pp 120ndash131 2003
[5] A Kalam and Y El ldquoMulti-OrBAC a New Access ControlModel for Distributed Heterogeneous and Collaborative Sys-temsrdquo in Proceedings of the 8th IEEE International Symposiumon Systems and Information Security p 1 2006
[6] A Kamoun and S Tazi ldquoA semantic role-based access controlfor intra and inter-organization collaborationrdquo in Proceedingsof the 23rd IEEE International WETICE Conference WETICE2014 pp 86ndash91 Italy June 2014
[7] W Zhou and C Meinel ldquoTeam and task based RBAC accesscontrol modelrdquo in Proceedings of the 2007 Latin AmericanNetwork Operations and Management Symposium - LANOMS2007 pp 84ndash94 Brazil September 2007
[8] J Li J Zic N Oakes D Liu and C Wang ldquoDesign andevaluation of an integrated collaboration platform for secureinformation sharingrdquo in Cooperative Design Visualization andEngineering vol 9929 of Lecture Notes in Computer Science pp185ndash193 Springer International Publishing Cham 2016
[9] F Liang H Guo S Yi and S Ma ldquoAmultiple-policy supportedattribute-based access control architecture within large-scaledevice collaboration systemsrdquo Journal of Networks vol 7 no 3pp 524ndash531 2012
[10] S Sicari A Rizzardi D Miorandi and A Coen-PorisinildquoDynamic policies in internet of things enforcement andsynchronizationrdquo IEEE Internet of Things Journal vol 4 no 6pp 2228ndash2238 2017
[11] AAlmutairiM Sarfraz S BasalamahWAref andAGhafoorldquoA distributed access control architecture for cloud computingrdquoIEEE Software vol 29 no 2 pp 36ndash44 2012
[12] H Xiang X Xia H Hu J Sang and C Ye ldquoApproaches toaccess control policy comparison and the inter-domain rolemapping problemrdquo Information Technology and Control vol 45no 3 pp 278ndash288 2016
[13] Z Wu and L Wang ldquoAn innovative simulation environmentfor cross-domain policy enforcementrdquo Simulation ModellingPractice andTheory vol 19 no 7 pp 1558ndash1583 2011
[14] Z-W Wang ldquoA generic access control model based on ontol-ogyrdquo inProceedings of the 2010 IEEE International Conference onWireless Communications Networking and Information SecurityWCNIS 2010 pp 335ndash339 China June 2010
[15] S Haguouche and Z Jarir ldquoManaging heterogeneous accesscontrol models cross-organizationrdquo in Proceedings of the Inter-national Conference on Risks and Security of Internet andSystems pp 222ndash229 2015
[16] S Haguouche and Z Jarir ldquoGeneric access control model andsemantic mapping between heterogeneous policiesrdquo Interna-tional Journal of Technology Diffusion (IJTD) vol 9 no 4 pp52ndash65 2018
[17] S Haguouche and Z Jarir ldquoToward a generic access controlmodelrdquo in Proceedings of the 3rd IEEE World Conference
on Complex Systems WCCS 2015 pp 1ndash6 IEEE MoroccoNovember 2015
[18] R Xu Y Chen E Blasch and G Chen ldquoA federated capability-based access control mechanism for Internet of Things (IoTs)rdquoin Proceedings of the Sensors and Systems for Space ApplicationsXI International Society for Optics and Photonics 2018
[19] L Duan Y Zhang S Chen et al ldquoAutomated policy combina-tion for secure data sharing in cross-organizational collabora-tionsrdquo IEEE Access vol 4 pp 3454ndash3468 2016
[20] G Geethakumari A Negi and V N Sastry ldquoA cross - Domainrole mapping and authorization framework for RBAC in gridsystemsrdquo International Journal of Computer Science and Appli-cation vol 6 no 1 pp 1ndash12 2009
[21] D Preuveneers W Joosen and E Ilie-Zudor ldquoPolicy reconcil-iation for access control in dynamic cross-enterprise collabo-rationsrdquo Enterprise Information Systems vol 12 no 3 pp 279ndash299 2018
[22] C Esposito ldquoInteroperable dynamic and privacy-preservingaccess control for cloud data storage when integrating het-erogeneous organizationsrdquo Journal of Network and ComputerApplications vol 108 pp 124ndash136 2018
[23] OASIS XACMLTechnical Committee ldquoeXtensible Access Con-trol Markup Language (XACML) Version 30rdquo httpdocsoasis-openorgxacml30xacml-30-core-spec-os-enhtml ac-cessed July 2018
[24] OASIS XACMLTechnical Committee ldquoXACML v3 0 core andhierarchical Role Based Access Control (RBAC) profile version10 (committe specification 02)rdquo httpdocsoasis-openorgxacml30rbacv10xacml-30-rbac-v10html accessed July2018
[25] Y Ghazi R Masood M A Shibli and S Khurshid ldquoUsage-based access control for cloud applicationsrdquo in InnovativeSolutions for Access Control Management pp 197ndash223 2016
[26] G Karjoth A Schade and E Van Herreweghen ldquoImplement-ing ACL-based policies in XACMLrdquo in Proceedings of the 24thAnnual Computer Security Applications Conference ACSAC2008 pp 183ndash192 USA December 2008
[27] M Xu D Wijesekera and X Zhang ldquoTowards session-awareRBAC administration and enforcement with XACMLrdquo in Pro-ceedings of the 2009 IEEE International Symposium on Policiesfor Distributed Systems and Networks 2009
[28] X Jin R Krishnan and R Sandhu ldquoA unified attribute-basedaccess control model covering DAC MAC and RBACrdquo LectureNotes in Computer Science vol 7371 pp 41ndash55 2012
[29] C D P K Ramli H R Nielson and F Nielson ldquoThe logic ofXACMLrdquo Science of Computer Programming vol 83 pp 80ndash105 2014
[30] J Park and R Sandhu ldquoThe UCONABC usage control modelrdquoACM Transactions on Information and System Security vol 7no 1 pp 128ndash174 2004
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom