A Description Logic-based Appraoch For Access Control Policy Conflict Detection

As passive control technique for data security, access control is an effective and well developed method to prevent resources from unauthorized access by users and related operations, by the way, access control and policy language need to develop synergy to enable the development of security infrastructures with verifiable security properties for open and dynamic environements. Though, policy languages always have limited capacity to support all properties of access control model.Furthermore, both policy languages and control models have none ability about policies, as under application become more and more sophisticated and intelligent, there may be redundancies and conflicts between policies. This dissertation studies policies presentation and redundancies checking and fonclits detection.Firstly, a method to extend extensible access control markup language XACML using web ontology language OWL is proposed. XACML has been considered as a standard by academy and industrial, but has limited capacity to support the widely applicable role-based access contorl RBAC, OWL is inducted to express role constraints of RBAC. A framework integrates XACML and OWL is designed, such a framework essentially allows us to decouple the management of constraints from the specification and enforcement of actural XACML policies.Secondly, a description logic based apporach to analyze policy is proposed. Authorization propagation caused by role hierarchies and resource hierarchies is discussed, along with authorization propagation rules. Furtherly, policy conflicts based on authorization propagation are described exhaustively. From the perspective of knowledge representation and reasoning, a method of describe policies using DL is given, the designing of access control domain knowlege base and the method based on consistency checking of domain-specific nontology to constraints management and conflict detecting is proposed.Finally, a running example is used to demonstrate procedures of contraints management and conflicts detection base on the DL way, using the DL reasoning system Racer.