Download presentation
Presentation is loading. Please wait.
Published byAlan Brooks Modified over 9 years ago
1
A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University D. Kaminsky IBM, Research Triangle Park D. Agrawal IBM, T. J. Watson
2
Nov 2005DRMTICS2005 Sydney Australia 2 Contents Motivation Background Autonomic Cycle for Protection of Access Rights Application Domain (digital library) Access Management Architecture Comparison of XACML and CIM –Information Model –Computational Model –Linkage Model Conclusion
3
Nov 2005DRMTICS2005 Sydney Australia 3 Motivation Policy-based models ease the management of access rights for Digital Information. Many policy specifications exist (XrML, ODRL) and many more are emerging (XACML, CIM based ACPL, etc.) A categorical or structured analysis of emerging specifications is necessary to choose the appropriate specification.
4
Nov 2005DRMTICS2005 Sydney Australia 4 Background CIM and XACML XACML specification uses XML schemas for access- control policies, requests, and decisions CIM Policy Model uses Meta-Object Facility and Unified Modeling Language –Used CIM derived ACPL for comparison The XACML and CIM models provide generic vocabulary to address DRM issues, such as –user privacy –fair use –fee and non-fee based access
5
Nov 2005DRMTICS2005 Sydney Australia 5 Background Comparison Axes Information model: How the abstract data model is specified as syntactical elements in the language. –Provides insight into how its supports various access rights requirements for self protection. Computational model: Computational complexity of evaluating an access request against an access policy to guarantee an access decision. –Provides insight into the kinds of rules for which these models provide low latency access evaluation. Linkage model: How these specifications interact with the environment, namely, the restrictions they place on the input (access request) and the output (access decision). –provides insight into the adaptability of these languages and models for various application domains.
6
Nov 2005DRMTICS2005 Sydney Australia 6 Autonomic Cycle for Protection of Access Right 1.Receive user attributes 2.Fetch all resource names 3.Compose requests from user attributes and resource names 1.Receive request contexts 2.Evaluate decision based on knowledge base 1.Receive access decisions 2.Perform provisional actions 3.Sequence the execution of access decisions 1.Prepare User Interface or response 2.Serve the response to the user [Knowledge Base] Policy Monitor AnalyzePlan Execute
7
Nov 2005DRMTICS2005 Sydney Australia 7 Application Domain (Federated Digital Library) 1.User request’s resource protected by Shibboleth 2.Target and User’s home organization authenticate each other and the home organization provides user attributes 3.End-User gains access to resource based on access control specifications provided in the policy (XACML/ACPL) Contributors Aggregator Shibboleth Target Federated DL & Harvester Policy Enforcement Point PDP Policy Editor Reg. Shibboleth Origin (CMU) [Admin classifies users into groups] Shibboleth Origin (ODU) Shibboleth Origin (TWRC) [ODU Users, CMU Users, TWRC Users] End-Users xArchiveCERNAPS a.Contributor registers with Federated Digital Library b.Contributor manages access policies for user access to its documents c.Provides policy in XACML/ACPL compliant format to the Policy Decision Point 1. 2.2. 3. a.a. b.b. c.c. SUBSCRIBERSSUBSCRIBERS
8
Nov 2005DRMTICS2005 Sydney Australia 8 Comparison of XACML and CIM (Information Model) faculty odu author description references Read XACML 1.Uses vocabulary from the access control domain 2.Multiple requests are required to gather compendium of access privileges (one for each resource) 3.Number of requests required increases based on the number of operations (read, distribute, etc) that can be performed.
9
Nov 2005DRMTICS2005 Sydney Australia 9 Comparison of XACML and CIM (Information Model) faculty odu read ACPL 1.Does not used vocabulary from the access control domain, as it is a more generic rule language. 2.A single request is sufficient irrespective of the number of resources. 3.The number of requests required do not change even if the number of permitted operations increases
10
Nov 2005DRMTICS2005 Sydney Australia 10 Comparison of XACML and CIM (Computational Model) … … Boolean Expressions in XACML Simple Boolean Expression in CNF or DNF Un-Conditional Boolean Expression Most commonly used condition is isolated and optimized.
11
Nov 2005DRMTICS2005 Sydney Australia 11 Comparison of XACML and CIM (Computational Model) … … Boolean Expressions in ACPL Un-Conditional Boolean Expression Does not have optimization for any specific kind of Boolean expressions
12
Nov 2005DRMTICS2005 Sydney Australia 12 Comparison of XACML and CIM (Computational Model) … … Conflict resolution in XACML Conflict resolution is more catered towards access rights and uses vocabulary from access control
13
Nov 2005DRMTICS2005 Sydney Australia 13 Comparison of XACML and CIM (Computational Model) … … Conflict resolution in ACPL Conflict resolution is accomplished using a simple prioritization.
14
Nov 2005DRMTICS2005 Sydney Australia 14 Comparison of XACML and CIM (Linkage Model) XACML, in addition to specifying syntax for policies, also specifies syntax for decision requests and decision responses. –The monitoring phase composes XACML compliant requests from user attributes that arrive as HTTP request parameters and delivers them to the analysis phase for evaluation –The PDP at the analysis phase provides the planning phase with XACML compliant responses, which need interpretation. –The existence of a standard, however, fosters interoperability. CIM model does not prescribe a format for requests and responses. –The absence of a specification for input formats, and the provision for multiple input formats by the CIM implementation eased the task of request and response processing. –However, generally, the lack of standard may hinder interoperability.
15
Nov 2005DRMTICS2005 Sydney Australia 15 Conclusion XACML –Plus capability to represent provisional actions XML schema ensure interoperability lower latency access evaluation – optimized Boolean evaluation Allows specification of resources as XPath artifacts –Minus lack of access to resource hierarchies and delegation CIM –Plus ability to represent complex actions requires fewer policies need be managed efficient mechanism when simple conditions need to be evaluated to obtain permissions on multiple resources. –Minus lack of standards-based XML schema lack of access to resource hierarchies and delegation
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.