Title :
A Policy Language for Abstraction and Automation in Application-Oriented Access Controls: The Functionality-Based Application Confinement Policy Language
Author :
Schreuders, Z. Cliffe ; Payne, Christian ; McGill, Tanya
Author_Institution :
Sch. of IT, Murdoch Univ., Murdoch, WA, Australia
Abstract :
This paper presents a new policy language, known as functionality-based application confinement policy language (FBAC-PL). FBAC-PL takes a unique approach to expressing application-oriented access control policies. Policies for restricting applications are defined in terms of the features applications provide, by means of parameterised and hierarchical policy abstractions known as functionalities. Policies also include metadata for management and the automation of policy specification. The result is a novel scheme for application confinement policy that reuses, encapsulates and abstracts policy details, and facilitates a priori policy specification: that is, without having to rely solely on learning modes for creating policies to restrict applications. This paper presents the policy language, and illustrates its use with examples. A Linux-based implementation, which uses FBAC-PL, has demonstrated that this approach can overcome policy complexity and usability issues of previous schemes.
Keywords :
authorisation; programming languages; application-oriented access control; functionality-based application confinement policy language; meta data; policy specification; Access control; Automation; Linux; USA Councils; Usability; White spaces; a priori policy specification; application-oriented access control; functionality-based application confinement; policy abstraction; policy usability;
Conference_Titel :
Policies for Distributed Systems and Networks (POLICY), 2011 IEEE International Symposium on
Conference_Location :
Pisa
Print_ISBN :
978-1-4244-9879-6
Electronic_ISBN :
978-0-7695-4330-7
DOI :
10.1109/POLICY.2011.11