A Policy Validation Framework for Enterprise Authorization Specification

Ramaswamy Chandramouli
National Institute of Standards & Technology

The validation of enterprise authorization specification (that contains access control requirements for the various enterprise IT resources) for conformance to enterprise policies requires an out-of-band framework in many situations since the enforcing access control mechanism does not provide this feature. In this paper we describe one such framework. The framework uses XML to encode the enterprise authorization specification and XML Schema to specify the underlying access control model. The policy requirements are encoded in a constraint specification language called Schematron. The XML Schema of the RBAC model is then augmented with these constraint specifications using an annotation feature that is provided as part of the XML Schema language specification. The conformance of the XML-encoded enterprise authorization specification to the structure of the RBAC model (specified through XML Schema) as well as the policy requirements (specified through constraints in Schematron) are verified through a Schematron Validator tool. The scope for extending the framework to augment the capabilities of the enforcing access control mechanism to enforce dynamic constraints is also discussed.

Keywords: Role-based Access Control Model, XML Schema, Policy Constraints

Read Paper Read Paper (in PDF)