An XML-Based Policy Model for Access Control in Web Applications

摘要

Organizational Information Systems (IS) collect, store, and manage personal and business data. Due to regulation laws and to protect the privacy of users, clients, and business partners, these data must be kept private. This paper proposes a model and a mechanism that allows defining access control policies based on the user profile, the time period, the mode and the location from where data can be accessed. The proposed policy model is simple enough to be used by a business manager, yet it has the flexibility to define complex restrictions. At runtime, a protection layer monitors data accesses and enforces existing policies. A prototype tool was implemented to run an experimental evaluation, which showed that the tool is able to enforce access control with minimal performance impact, while assuring scalability both in terms of the number of users and the number of policies.