07/06/2006: "XACML to VDM API"

Sometime ago we decided amongst our group within NCL (and within the scope of the GOLD project) to do something about the potential inconsistencies that would most certainly rise by allowing all participants of a VO to submit their own access control policies to protect their resources. One can imagine the problems that could arise by having a distributed authorisation policy based on the number of participants within a VO. We therefore built a service which is capable of parsing XACML RBAC policies and translating those to VDM. The resulting document is a VDM formal model which can be validated against such logical inconsinstencies.

The API parses any given number of XACML policies and produces a single VDM document representing the combined set of policies and policy rules as extracted from the XACML files. It is wrapped as a policy verification service that can used for verifying policies prior to placing them in the database. Furthermore, it can be used to verify access control policies against entire workflow descriptions. A BPEL description for example of a workflow would certainly contain information about resource access by some user or role as part of a particular task. Our service enables automatic notification of inconsistencies between policies in domains where processing as well as control of processes is distributed. Using our service runtime problems of workflows could potentially be avoided.

A collague has taken the lead in submitting our experiences in this years FAST conference