Attribute Expressions, Policy Tables and Attribute-Based Access Control

Attribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes are associated with authorization decisions and non-leaf nodes are associated with decision-combining algorithms. However, it may be difficult in XACML to construct a given policy due to the tree-structured nature of XACML and the way in which combining algorithms are defined. Furthermore, there is limited control over how requests are evaluated with respect to targets.

In this paper, we introduce the notion of an attribute expression, which generalizes the notion of a target, and show how attribute expressions are used to specify policies in tabular form. We demonstrate why representing policies in this manner is convenient, intuitive and flexible for policy authors, and provide a method for automatically compiling policy tables into machine-enforceable policies. Thus, we bridge the gap between a policy representation that is convenient for end-users and a policy that can be enforced by a PDP. We then describe various methods to reduce the size of policy tables.

In addition, we compare our language with XACML, highlighting various shortcomings of XACML and demonstrating how to express XACML policies in a tabular form. We then show how policy tables can be used as leaf nodes in a tree-structured language, providing a modular method for constructing enterprise-wide policies. Finally, we show how attribute expressions and policy tables can be used to make role-based access control and access control lists "attribute-aware".