XACML Policy Integration Algorithms
PIETRO MAZZOLENI
CS Department, University of Milan
BRUNO CRISPO
Vrije Universiteit, Amsterdam and University of Trento
SWAMINATHAN SIVASUBRAMANIAN
Vrije Universiteit, Amsterdam
ELISA BERTINO
Cerias and CS Department, Purdue University
XACML is the OASIS standard language speci¯cally aimed at the speci¯cation of authorization
policies. While XACML ¯ts well security requirements of a single enterprise (even if large and
composed by multiple departments), it does not address the requirements of virtual enterprises in
which several autonomous subjects collaborate by sharing their resources to provide better services
to customers. In this paper we highlight such limitation and we propose an XACML extension, the
policy integration algorithms to address them. In the paper we also present the implementation
of a system which makes use of the policy integration algorithms to securely replicate information
in a P2P-like environment. In our solution, the data replication process considers the policies
speci¯ed by both the owners of the data shared and the peers sharing data storage.
Categories and Subject Descriptors: D.4.6 [Security and Protection]: Authorization
Additional Key Words and Phrases: XACML, Security policies integration, Distributed Systems,
Web Services,Content Distributed Networks, SOA
1. INTRODUCTION
XACML (eXtensible Access Control Markup Language) [OASIS 2005] is the stan-
dard language developed by OASIS for expressing access control (AC) policies [OA-
SIS 2005]. The language proposes an approach to manage AC constraints in large
enterprise systems, that often have many policy elements and Points of Enforce-
ment (PoE). The goal of XACML is to provide a common language through which
an enterprise can manage all the elements of its security policies for all the com-
ponents of its information systems. This is because there is an increasing pressure
to demonstrate the adoption of \Best Practices" in the protection of the informa-
tion [HIPAA 1996; EU 1995] but today it is virtually impossible to independently
manage the con¯guration of each PoE and to have a complete view of the safeguards
in e®ect throughout the enterprise [OASIS 2005; Anderson 2005a].
In this direction, XACML does not only provide a formalism to specify authoriza-
tion policies, but it also comprises information useful to take authorization decisions
as well as approaches to integrate constraints speci¯ed by multiple subjects. In this
context, XACML de¯nes some policy combination algorithms, through which a PoE
can combine authorization decisions of policies speci¯ed by multiple administration
entities. An example of policy combination algorithm is \Deny Override" according
to which a set of policies deny a request if at least one of the composing policies
denies it.
ACM Journal Name, Vol. V, No. N, Month 20YY, Pages 1{0??.

2 ¢ P. Mazzoleni, B. Crispo, S. Sivasubramanian, E. Bertino
XACML is a very rich and °exible language; users and security administrators
can directly represent, using XACML, a large variety of AC policies. However,
XACML has not been built to manage security for systems in which enterprises are
dynamically built with the collaboration of multiple independent subjects sharing
their resources to provide better services to customers. With the growing popular-
ity of the \service virtualization" business model [HP 2005; IBM 2004; Kusnetzky
and Olofson 2004], computation and business processes are not longer constrained
within a single administrative domain but distributed across service providers be-
longing to multiple enterprises. Furthermore, the owner of the data can be di®erent
from the parties providing the physical resources (e.g., memory, computing power,
and network bandwidth) needed to run them.
In such scenarios, it is reasonable for all entities to independently specify ¯ne-
grained authorization constraints to protect their resources. Under these conditions,
it is however unclear which entity should be entitled to choose the XACML pol-
icy combination algorithm to be used for integrating the policies speci¯ed by the
various parties. In fact, XACML always assumes the existence of an \enterprise
administrator" which can solve con°icts (of policies speci¯ed by di®erent entities
of the same company) by specifying the proper policy integration algorithm.
To understand the motivation of our research, consider as example a collaborative
Content Distribution Network (CDN) built using a P2P technology and in which
subjects can replicate their data in storage made available by third party resource
providers. Examples of real-world systems adopting this model are Lockss [Baker
et al. 2005; Lockss ] and LionShare [Lionshare ; Morr 2004a]. In such systems, both
the owner of the data and the owner of the storage can specify their AC policies in
XACML. The former can place constraints on where its data can be placed and who
can read it, while the latter can place constraints on who can upload and download
information from the storage. In this scenario, to take the authorization decision
upon a request for accessing some data, both the policy of the Data Owner (DO)
and the policy of the Resource Owner (RO) hosting the data need to be combined.
However, it is not clear how those XACML policies should be integrated and who,
between DO and RO, is entitled to take such decision. In fact, if DO and RO are
autonomous entities, RO might evaluate a request not considering the policies of
the DO (with the risk of giving access to requests not authorized by the DO). On
the other hand, DO needs to authorize access to its data independently from the
RO hosting it.
Despite some previous works that have applied XACML to distributed environ-
ments [Anderson 2004; Lorch et al. 2003; W3C 2003], in this paper we demonstrate
XACML policy combination algorithms are not enough to integrate policies speci-
¯ed by autonomous parties.
In addition, we relax the XACML assumption that that all PoEs of an organi-
zation are willing and available to enforce any policy (or combination of policies)
set by a third party. Again, while such assumption is reasonable in case of a single
company, this is not the case of scenarios in which PoEs are administered by au-
tonomous parties. For instance, in the CDN scenario just introduced, a RO might
not be willing to evaluate policies for each and every DO storing some data in its
ACM Journal Name, Vol. V, No. N, Month 20YY.