There are two further design issues: 1) the types of access control policies sup- ported by CRAAC, and 2) the access mode that is used to retrieve a policy from its store.
CRAAC recognises three types of access control policies: UA, PA, and re- sources’ OLoA policies. The UA and PA policies store user-role and role-permission mappings, respectively. These are the fundamental functions of the basic RBAC model. A UA policy is relatively smaller than that of PA and it could be stored in a relational database table for efficient retrieval. A PA policy needs to be ex- pressed in a standard access control policy language, due to its relatively big size. In this research, XACML 2.0 [77] is used to express this policy type. However, the architecture is flexible in order to allow any other policy languages to be used. CRAAC expresses the UA policy in a 3-tuple format: < Subject, RLoA, Role >, or in an n-tuple format: < Subject, LoA1...LoAn, Role >, where n is the number
of contextual attributes recognised by the system. The use of 3 or n-tuple policy format depends on the CRAAC configuration (i.e. mode of working). For exam- ple, the 3-tuple expression is used in the RLoA-only mode, whereas the n-tuple is used in the AttributeLoA-only mode.
2
See Subsection 6.5.3 for more detail
3
See Subsection 7.5.2 for more detail
4
CHAPTER 5. CRAAC DESIGN PRELIMINARIES 92
The resources’ OLoA policy specifies the minimum LoA requirement upon which a resource object can be released. This policy is stored in an XML file and is maintained independently from the other two polices. Figure 5.1 depicts a snippet of the resources’ OLoA policy for a “Printer” object. The figure shows the XML file divided into two main elements: OLoA and Individual-OLoA-Set. The OLoA element contains the OLoA specification that the printer requires to be released, regardless of the type, number, or representation of the contextual attributes used. For example, for a subject to cancel the current printing task, the subject has to satisfy a LoA requirement of at least 0.48. In other words, a subject has to satisfy this constraint (i.e. RLoA ≥ 0.48) to gain access to the Printer no matter what contextual attributes the subject has subscribed to. This element (i.e. OLoA) is used in both RLoA-only and Combined modes.
</ResourceObjects>
<Resource ID="CRAAC:10" Name="Printer"> <OLoA>
<LoA-Entry Context-Attribute ="NONE" Permission="SwitchOn"> <Value>0.04</Value></LoA-Entry> <LoA-Entry Context-Attribute ="NONE" Permission="SwitchOff"><Value>0.04</Value></LoA-Entry> <LoA-Entry Context-Attribute ="NONE" Permission="print"><Value>0.70</Value></LoA-Entry>
<LoA-Entry Context-Attribute ="NONE" Permission="CancelCurrentTask"><Value>0.48</Value></LoA-Entry> </OLoA>
<Individual-OLoA-Set>
<LoA-Entry Context-Attribute ="CS" Permission="SwitchOn"><Value>0.02</Value></LoA-Entry> <LoA-Entry Context-Attribute ="AH" Permission="SwitchOn"><Value>0.03</Value></LoA-Entry> <LoA-Entry Context-Attribute ="ALoc" Permission="SwitchOn"><Value>0.01</Value></LoA-Entry> <LoA-Entry Context-Attribute ="eToken" Permission="SwitchOn"><Value>0.03</Value></LoA-Entry> <LoA-Entry Context-Attribute ="eToken" Permission="SwitchOff"><Value>0.03</Value></LoA-Entry> <LoA-Entry Context-Attribute ="CS" Permission="SwitchOff"><Value>0.01</Value></LoA-Entry> <LoA-Entry Context-Attribute ="CS" Permission="FaxIt"><Value>0.24</Value></LoA-Entry> <LoA-Entry Context-Attribute ="AH" Permission="FaxIt"><Value>0.20</Value></LoA-Entry> <LoA-Entry Context-Attribute ="eToken" Permission="FaxIt"><Value>0.40</Value></LoA-Entry> <LoA-Entry Context-Attribute ="CS" Permission="CancelCurrentTask"><Value>0.24</Value></LoA-Entry> <LoA-Entry Context-Attribute ="AH" Permission="CancelCurrentTask"><Value>0.40</Value></LoA-Entry> <LoA-Entry Context-Attribute ="eToken" Permission="CancelCurrentTask"><Value>0.50</Value></LoA-Entry> </Individual-OLoA-Set>
</Resource> </ResourceObjects>
Figure 5.1: Snippet of the Resources’ OLoA Policy
On the other hand, the Individual-OLoA-Set element expresses the Printer’s OLoA requirements in terms of the individual contextual attribute LoA values. This element of the policy is context-aware, since it needs to know the type and the number of the contextual attributes used. This element supports the use of both AttributeLoA-only and Combined modes, since, for example, the AttributeLoA-only mode utilises individual contextual attributes’ LoA values to
CHAPTER 5. CRAAC DESIGN PRELIMINARIES 93
govern access control decision-making. Table 5.1 summarises which mode of working uses what type of access control policy.
Table 5.1: CRAAC Modes Vs Policy Files Usage UA PA Resources’ OLoA: OLoA Element Resources’ OLoA: Individual-OLoA-Set RLoA-only Mode X X X % AttributeLoA-only Mode X X % X Combined Mode X X X X Basic-RBAC Mode X X % %
Two policy retrieval modes are recognised by CRAAC: pull and push modes [78]. In the pull mode, an access control policy is retrieved from the corresponding store on demand. In other words, on receiving an access request, CRAAC opens the corresponding access control policy file, parses it, and verifies the request against the policy rules. In the push mode, on the other hand, the access control policy is pushed into the system before receiving any access request. In other words, in this access mode, CRAAC is pre-loaded with the policies when it is initialised. The use of both modes in CRAAC and their implications on the CRAAC performance will be reported in Chapters 6 and 7.