Offline expansion of XACML policies based on P3P metadata

Abstract

In the last few years XML-based access control languages like XACML have been increasingly used for specifying complex policies regulating access to network resources. Today, growing interest in semantic-Web style metadata for describing resources and users is stimulating research on how to express access control policies based on advanced descriptions rather than on single attributes. In this paper, we discuss how standard XACML policies can handle ontology-based resource and subject descriptions based on the standard P3P base data schema. We show that XACML conditions can be transparently expanded according to ontology-based models representing semantics. Our expansion technique greatly reduces the need for online reasoning and decreases the system administrator's effort for producing consistent rules when users' descriptions comprise multiple credentials with redundant attributes. © Springer-Verlag Berlin Heidelberg 2005.