16th Annual Computer Security Applications Conference
December 11-15, 2000
New Orleans, Louisiana

A Policy-Based Access Control Mechanism for Corporate Web

Victoria Ungureanu, Farokh Vesuna & Naftaly H. Minsky
Rutgers University

Current Web technologies use access control lists (ACLs) for enforcing regulations and practices governing businesses today. Having the policy hard-coded into ACLs causes management and security problems which have prevented so far Intranets to achieve their full potential. This paper is about a concrete design of a mechanism that supports policies for regulating access to information via corporate Intranet. This mechanism makes a strict separation between the formal statement of a policy, and its enforcement, the latter being carried out by generic policy engines. The proposed mechanism is easy to deploy, requiring no modifications of current web servers. We provide some preliminary performance results that show that the mechanism is quite affordable, even in its present, experimental stage.

Read Paper Read Paper (in PDF)