Automated testing of eXtensible Access Control Markup Language-based access control systems

The trustworthiness of sensitive data needs to be guaranteed and testing is a common activity among privacy protection solutions, even if quite expensive. Accesses to data and resources are ruled by the policy decision point (PDP), which relies on the eXtensible Access Control Markup Language (XACML) standard language for specifying access rights. In this study, the authors propose a testing strategy for automatically deriving test requests from a XACML policy and describe their pilot experience in test automation using this strategy. Considering a real two-level PDP implemented for health data security, the authors compare the effectiveness of the test plan automatically derived with the one derived by a standard manual testing process.