|
|
软件学报 2009
Attribute-Based Access Control Policies Composition Algebra
|
Abstract:
The composition of access control policies is the key to determine access control policies for distributed aggregated resource. To regulate policy composition and guarantee its correctness, an algebraic model called APoCA (attribute-based access control policy composition algebra) is proposed for composing access control policy. In APoCA, an authorization relation between entities is described at the attribute level. APoCA fertilizes the existing formal frameworks by taking into account the computation of attribute values. Several examples are given to demonstrate the expressiveness of ApoCA. ApoCA can be used for more complex applications. In addition, access control policies of aggregated resources can be formulated as expressions of the algebra. Several algebraic properties of policy expressions are discussed. It shows that the algebraic properties of policy expressions can be used to verify whether policy composition results meet the protection needs of each party. Furthermore, a translator is devised to convert the policy expressions into logic programs, which provides the basis for the evaluation and application of access control policies for aggregated resources.
