Access Domain-Based Approach for Anomaly Detection and Resolution in XACML Policies

摘要

Access control protects systems' resources against unauthorized access via a set of policy rules. In distributed environments, access control policies might be aggregated from multiple tenants and could be managed by more than one administrator. Therefore, errors in the rules definitions may compromise the system security by leading to unauthorized access or denying authorized access. This may result into anomalies, i.e. conflicting rules and redundant rules. In this paper, we propose an approach to detect and resolve anomalies in XACML (eXtensible Access Control Markup Language) policies. We introduce the concept of a rule access domain, which is used to accurately identify and resolve policy anomalies.