In-memory policy indexing for policy retrieval points in attribute-based access control

Abstract

Attribute-Based Access Control (ABAC) systems are using machine-readable rules for making access control decisions. Rules are collected in documents, the named policies, or policy sets. These are expressed in a specific policy language, such as XACML, ALFA, or SAPL. Within systems implementing the ABAC reference architecture, policy documents are persisted in a Policy Retrieval Point (PRP). This paper addresses the problem of efficiently retrieving policy documents applicable to a given authorization request (or subscription) from the PRP. Applicability is determined by a specific section of the document, commonly named target expression. The target expression consists of matching conditions, more precisely Boolean expressions based on request (or subscription) data. This paper presents a novel in-memory data structure that is used to index policy documents. The index allows retrieving documents matching a given authorization request more efficiently from a large set of policies. The empirical evaluation demonstrates, that the proposed algorithm can reduce policy retrieval time in PRPs by up to 98%, depending on the structure of the policies.