A language driven approach to multi-system access control

Resource access control policies for an organization are often derived from best practice standards or from high level business policies. To ensure that access control is enforced effectively, these business policies need to be translated into deployable system configurations or lower level policies for multiple diverse systems. These target policy representations require experts to coordinate and collaborate so that business policies are fully supported. It is difficult and cumbersome to effectively ensure that all access control policies are enforced with the desired effect and in a consistent way, particularly given that there may be many people editing policies and that business policies can change over time. We present a language driven approach that abstracts access control policies into a clear and structured set of rules defined using terms familiar to a non-systems expert, which may then be realized into multiple levels of abstraction. Our proof of concept system uses Language-Driven Development (LDD) techniques to transform high level business policies into device specific policies that can be enforced by multiple access control system types. Our scenario examines the application of access control to instant messaging communications and network server access, two systems with different access control configuration languages.