Industrial Partners Program (IPP) Seminar


"Scalable, General Purpose Access Control Policy"

Seth Proctor, Sun Microsystems

Thursday, May 8, 2003 at 4:00 P.M.

Lubrano Conference Room

In order to provide good security, one of the issues you must address is authorization. Authorization is, basically, determining whether a given action is allowed. In most systems, these decisions are made using some kind of policy that defines the conditions under which an action is authorized. UNIX file permissions, POSIX ACLS, web server htaccess files, and Java Policy are all examples of policy formats that most of us use (knowingly or otherwise) on a daily basis. When every application and environment has its own policy format, however, people and programs need to understand each of these formats, or need to have tools to manage each kind of policy. Worse still, top-level policies like general corporate or campus regulations can't be managed in one place since different languages and storage locations are often required. This leads to an unmanageable system that can't scale and therefore prevents the effective use of flexible policies. In an attempt to provide a scalable policy solution, this talk will introduce XACML, a general purpose access control policy language that is a new open standard. The language's features, some of which are unique and quite powerful, will be discussed. An open source implementation released by Sun Microsystems Laboratories will also be described. Finally, future directions for both the standard and the implementation will be presented.

Host: Michael Black