Document Type: Original Research Paper


Department of Computer Science Faculty of Computer Science and Information Technology


Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. An effective authorization propagation rule is needed to detect the modality conflicts that occur among the applicable policies. This work proposes a modality conflict detection model to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. The comparison with previous work is conducted, and findings show the solution which considers the condition attribute (i.e. spatial and temporal constraints) can affect the decision as to whether the applicable policies should be retrieved or not which further affect the accuracy of the modality conflict detection process. Whereas the applicable policies which are retrieved for a request can influence the detection of modality conflict among the applicable policies. In conclusion, our proposed solution is more effective in identifying the applicable policies and detecting modality conflict than the previous work.


Main Subjects

[1]    Almutairi, A., Sarfraz, M., Basalamah, S., Aref, W., and Ghafoor, A. 2012. A Distributed Access Control Architecture for Cloud Computing. IEEE Software, 29(2), pp. 36-44.
[2]    Ammar, N., Malik, Z., Bertino, E., & Rezgui, A. 2015. XACML Policy Evaluation with Dynamic Context Handling. IEEE Transactions on Knowledge and Data Engineering, 27(9), pp. 2575-2588.
[3]    Bertino, E., Ghinita, G., and Kamra, A. 2011. Access Control for Databases: Concepts and Systems. Foundations and Trends in Databases, 3(1-2), pp. 1-148.
[4]    Brodecki, B., Szychowiak, M., and Sasak, P. 2012. Security Policy Conflicts in Service Oriented Systems. New Generation Computing, 30(2-3), pp. 215-240.
[5]    di Vimercati, S. D. C.,  Foresti, S., Jajodia, S., and Samarati, P. 2007. Access Control Policies and     Languages in Open Environments. Secure Data     Management in Decentralized Systems, pp. 21-58.
[6]     Hu, H., Ahn, G., and Kulkarni, K. 2013. Discovery     and Resolution of Anomalies in Web Access Control     Policies. IEEE Transactions on Dependable and     Secure Computing, 10(6), pp. 341-354.
[7]     Jajodia, S., Samarati, P., Sapino, M. L., and     Subrahmanian, V. 2001. Flexible Support for     Multiple Access Control Policies. ACM Transactions     on Database Systems (TODS), 26(2), pp. 214-260.
[8]     Lin, D., Rao, P., Ferrini, R., Bertino, E., and Lobo, J.     2013. A Similarity Measure for Comparing XACML     Policies. IEEE Transactions on Knowledge and Data     Engineering, 25(9), pp. 1946-1959.
[9]     Liu, A. X., Chen, F., Hwang, J., and Xie, T. 2011.     Designing Fast and Scalable XACML Policy     Evaluation Engines. IEEE Transactions on     Computers, 60(12), pp. 1802-1817.
[10]     Ngo, C., Demchenko, Y., and Laat, C. D. 2015.     Decision Diagrams for XACML Policy Evaluation     and Management. Journal of Computers and     Security, 49, pp. 1-16.
[11]     Priebe, T., Dobmeier, W., Schläger, C., and     Kamprath, N. 2007. Supporting Attribute Based     Access Control in Authorization and Authentication     Infrastructures with Ontologies. Journal of Software,     2(1), pp. 27-38.
[12]     Shaikh, R. A., Adi, K., and Logrippo, L. 2016. A Data     Classification Method for Inconsistency and     Incompleteness Detection in Access Control Policy     Sets. International Journal of Information Security,     pp. 1-23.
[13]     Singh, K. and Singh, S. 2010. Design and     Evaluation of XACML Conflict Policies Detection     Mechanism. International Journal of Computer     Science and Information Technology, 2, pp. 65-74.
[14]     Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., and     Mankovskii, S. 2009. Typing for Conflict Detection in  Access Control Policies. Proceedings of the 4th International Conference on E-Technologies (MCETECH), pp. 212-226.
[15]     Bertino, E., Buccafurri, F., Ferrari, E., and Rullo, P. 1998. An Authorization Model and its Formal Semantics. Proceedings of the 5th European Symposium on Research in Computer Security (ESORICS), pp. 127-142.
[16]     Damiani, E., di Vimercati, S. D. C., Fugazza, C., and     Samarati, P. 2006. Modality Conflicts in Semantics     Aware Access Control. Proceedings of the 6th     International Conference on Web     Engineering (ICWE), pp. 249-256.
[17]     Dong, C., Russello, G., and Dulay, N. 2008. Flexible Resolution of Authorisation Conflicts in Distributed Systems. Proceedings of the 19th International  Workshop on Distributed Systems: Operations and     Management (DSOM), pp. 95-108.
[18]    Fatema, K. and Chadwick, D. 2014. Resolving Policy Conflicts-Integrating Policies from Multiple Authors. Proceedings of the International Conference on Advanced Information Systems Engineering (CAiSE), pp. 310-321.
[19]    Kamoda, H., Yamaoka, M., Matsuda, S., Broda,     K., and Sloman, M. 2005. Policy Conflict Analysis     using Free Variable Tableaux for Access Control in     Web Services Environments. Proceedings of the     14th International World Wide Web Conference     (WWW), pp. 121-126.
[20]    Teo, P. K., Ibrahim, H., Udzir, N. I., and     Sidi, F.     2013. Heterogeneity XACML Policy Evaluation     Engine. Proceedings of the 2nd International Conference on Digital Enterprise and Information Systems(DEIS), pp. 230-238.
[21]    Mohan, A., Blough, D. M., Kurc, T., Post, A., and     Saltz, J. 2011. Detection of Conflicts and     Inconsistencies in Taxonomy Based Authorization     Policies. Proceedings of the 2011 IEEE International     Conference on Bioinformatics and Biomedicine     (BIBM), pp. 590-594.
[22]    Neri, M. A., Guarnieri, M., Magri, E., Mutti, S., and     Paraboschi, S. 2012. Conflict Detection in Security     Policies using Semantic Web Technology.     Proceedings of the 1st AESS European Conference     on Satellite Telecommunications (ESTEL), pp. 1-6.
[23]    Reul, Q. and Zhao, G. 2010. Enabling Access to     Web Resources through SecPODE-based     Annotations. Proceedings of the 2010 Confederated     International Conferences on the Move to     Meaningful Internet Systems (OTM), pp. 596-605.
[24]    Russello, G., Dong, C., and Dulay, N. 2007.     Authorisation and Conflict Resolution for     Hierarchical Domains. Proceedings of the Eighth     IEEE International Workshop on Policies for     Distributed Systems and Networks (POLICY), pp.     201-210.
[25]    Stepien, B. and Felty, A. 2016. Using Expert     Systems to Statically Detect “Dynamic” Conflicts in     XACML. Proceedings of the 11th International     Conference on Availability, Reliability and Security     (ARES).
[26]    Xia, X. 2012. A Conflict Detection Approach for     XACML Policies on Hierarchical Resources.     Proceedings of the 2012 IEEE International     Conference on Green Computing and     Communications (GREENCOM), pp. 755-760.