Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

Published byHoward Merritt Modified over 8 years ago

Similar presentations

Presentation on theme: "A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair."— Presentation transcript:

1 A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair Old Dominion University Norfolk, VA United States of America

2 ICADL 2005Bangkok, Thailand2 Contents Motivation Proposed Access Enforcement Framework Implementation Formal Specification Discussion Conclusion and Future Work

3 ICADL 2005Bangkok, Thailand3 Motivation One of the primary obstacles that keep data providers in Government from joining the federation is the lack of an infrastructure to support content-based access policies. A data provider is more willing to share its metadata with a service provider if it can provide content-based access control, in addition to the traditional access control. The lack of a framework for handling content- based access permissions and provisional actions for digital libraries.

4 ICADL 2005Bangkok, Thailand4 Proposed Access Enforcement Framework User Agent [Browser] 2 3 4 11 12 115 14 1310 7 5 Provisional Action Fulfiller (Pre-Query) Provisional Action Fulfiller (Post-Query) 6 Content-Based Query Builder 8 9 Log File and (or) Mail Server Database User Interface Filter Access Requestor POLICY ENFORCEMENT POINT Resource and Access Policy Directory Policy Engine (XACML PDP) Access Decision Handler FlexibleModularStandards-Based

5 ICADL 2005Bangkok, Thailand5 Proposed Access Enforcement Framework [Text explanation of the figure] (1)The access requestor receives the user’s request via the gateway in any (or among a set of) domain dependent formats. (2) Upon receiving the request, the access requestor fetches the policies required for access evaluation and the necessary information required for request construction from the resource and access policy directory. (3) Then, the access requestor submits the relevant policies and the requests to the PDP. (4)The PDP evaluates the requests against the policies, and provides responses to the access decision handler. (5-13) The access decision handler constructs an access token to store the compendium of the access decisions and invokes the pre-query provisional action fulfiller, the query builder, and the post query provisional action fulfiller to implement content independent provisional actions, fetch content from the digital library and implement content based provisional actions. (14, 15) Finally the access decision handler passes the fetched content and the access token to a user interface filter that renders the content based on the access decisions in the access token (14,15).

6 ICADL 2005Bangkok, Thailand6 Proposed Access Enforcement Framework User Agent [Browser] 2 3 4 11 12 115 14 1310 7 5 Provisional Action Fulfiller (Pre-Query) Provisional Action Fulfiller (Post-Query) 6 Content-Based Query Builder 8 9 Log File and (or) Mail Server Database User Interface Filter Access Requestor POLICY ENFORCEMENT POINT Resource and Access Policy Directory Policy Engine (XACML PDP) Access Decision Handler Modules related to provisional actions are bypassed, if they are not included in the access decision of the Policy Engine

7 ICADL 2005Bangkok, Thailand7 Proposed Access Enforcement Framework User Agent [Browser] 2 3 4 11 12 115 14 1310 7 5 Provisional Action Fulfiller (Pre-Query) Provisional Action Fulfiller (Post-Query) 6 Content-Based Query Builder 8 9 Log File and (or) Mail Server File System User Interface Filter Access Requestor POLICY ENFORCEMENT POINT Resource and Access Policy Directory Policy Engine (ACPL PDP, etc) Access Decision Handler 1.If the data storage format changes, the changes in the system are localized. 2.If a change is made in the policy language, the impact is localized.

8 ICADL 2005Bangkok, Thailand8 Implementation Content Restrictions in XACML using Obligations …. <AttributeAssignment AttributeId="description" DataType="http://www.w3.org/2001/XMLSchema#string"> nuclear:anthrax SELECT FROM WHERE (description NOT LIKE (%nuclear%) OR description NOT LIKE (%anthrax%)) Do not retrieve records that contain “nuclear” or “anthrax” in the description field.

9 ICADL 2005Bangkok, Thailand9 Implementation Content-Based Pre-Query Provisional actions in XACML …. CURRENT_TIMESTAMP <AttributeAssignment AttributeId="subject" DataType="http://www.w3.org/2001/XMLSchema#string"> role:identity Audit (or Log) the time of request, the role and identity of the entity requesting digital library information prior to fetching records from the database.

10 ICADL 2005Bangkok, Thailand10 Implementation Content-Based Post-Query Provisional actions in XACML …. <AttributeAssignment AttributeId="content_description" DataType="http://www.w3.org/2001/XMLSchema#string"> particle physics <AttributeAssignment AttributeId="emailto" DataType="http://www.w3.org/2001/XMLSchema#string"> dlib-admin@cs.odu.edu <AttributeAssignment AttributeId="static body" DataType="http://www.w3.org/2001/XMLSchema#string"> Accessing flagged records. If the description of a record fetched from the database contains “particle physics” in the description column, send an email to dlib-admin@cs.odu.edu with the message body containing the text “Accessing flagged records”dlib-admin@cs.odu.edu

11 ICADL 2005Bangkok, Thailand11 Implementation Policy Editor Label Based Access permissions Content based access permissions on label fields

12 ICADL 2005Bangkok, Thailand12 Formal Specification Content based access control (credentials, labels1, privilege, +) ^ Σ(credentials, label2,restriction-phrase, -) A user with attributes ‘credentials’ is granted the privilege (currently a read permission) on the labels1 of those digital objects which do not have the phrases specified as ‘restriction-phase’ in label2. The ‘Σ’ indicates that content-restrictions can be specified on different labels of a digital object. Content based provisional actions (credentials, labels1, privilege, [+ or -]) ^ Σ(credentials, label2, restriction-phrase, pa) A user with attributes ‘credentials’ is granted or denied the privilege (currently a read permission) on the labels1 of digital objects, and if the digital objects contain the phrases specified in ‘restriction-phase’ for label2, the provisional actions ‘pa’ must be implemented. The ‘Σ’ indicates that content-restrictions can be specified on different labels of a digital object.

13 ICADL 2005Bangkok, Thailand13 Discussion Number of interactions between policy enforcer and policy decision point –End users can have different sets of permissions on the resources provided by different contributors; hence, multiple requests are required to compose the compendium of access privileges. –If the number of resources provided by a contributor is O(K), the number of requests, evaluations and responses that are required to construct a compendium of the end-users access privilege on resources of one contributor is O(K). –The number of requests would be larger if there were more than one permissible action on the resource. This would have introduced another multiplicative factor in the number of requests (and hence evaluations). –that this constraint of XACML would induce substantial delays in high- transaction digital libraries.

14 ICADL 2005Bangkok, Thailand14 Discussion Changing formats –It is necessary for the policy enforcer to translate user assertions available as HTTP request parameters into XACML context requests. –To compose each XACML request, the policy enforcer embeds the user credentials and a resource identifier, which is mutable, within the immutable constructs required for an XACML request context. –The composition of XACML requests and subsequent processing of XACML responses is a computational overhead.

15 ICADL 2005Bangkok, Thailand15 Conclusion and Future Work Conclusion –Designed a framework that provides a sophisticated access paradigm to distributed user groups for distributed digital libraries. –Used declarative languages such as XACML allows for changes in access policies to be effective immediately –Minimizes the cost of changing enforcement code at the resource. –Enforcement actions that need to be written into the source code of the resource are restricted to two places: the presentation layer and the query construction modules Future Work –Investigate the possibility of incorporating the role-based access control on hierarchical roles and subjects using declarative languages like XACML. –Investigate the usage of a canonical set of subject attributes in government and commercial organizations to broaden the usage of our work.

Download ppt "A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair."

Similar presentations

AAA Architecture Use of a AAA Server Application Specification to Support Generic AAA Applications Across a Mesh of Interconnected AAA Servers With Policy.

AAA Architecture Use of a AAA Server Application Specification to Support Generic AAA Applications Across a Mesh of Interconnected AAA Servers With Policy.
0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.
Chapter 10: Designing Databases

Chapter 10: Designing Databases
June 22-23, 2005 Technology Infusion Team Committee1 High Performance Parallel Lucene search (for an OAI federation) K. Maly, and M. Zubair Department.

June 22-23, 2005 Technology Infusion Team Committee1 High Performance Parallel Lucene search (for an OAI federation) K. Maly, and M. Zubair Department.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.

Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Chapter 9 Database Design

Chapter 9 Database Design
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Databases & Data Warehouses Chapter 3 Database Processing.

Databases & Data Warehouses Chapter 3 Database Processing.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google