Research On The Transformation From RBAC-Featured Data Stored In Database To XACML Policy

OASIS(Organization for the Advancement of Structured Information Standards)established the XACML ( eXtendible Access Control Markup Language )specification which is specially designed to express authorization policies and possesses powerful capabilities such as extendibility,reusablity,distributedly management,strong expressivity. The initial purpose of XACML is to solve the problems of disparities and arbitarity in expressing authorization policies, and to build up a generally and strongly expressive access control language.Now old-style Role-based Access Control(RBAC) System whose policy data is generally depicted by database tables, widely exists.However,this expressing way of policy data by database tables has many shortcomings such as weak expressivity of policy data,weak interaction with other systems and high concertration of policy management while the XACML overcomes these defects easily.So gradual popularity of new-style Role-based Access Control(RBAC) System whose policy data is described by XACML, will require that old-style system could transfer to new-style system quickly and seamlessly.This requirement will evitably propose one first problem,that is how to make the database tables' form of RBAC-featured policy data transform to XACML form of it.As to the problem,this text systematically studies the RBAC Model,XACML Specification,RBAC Profile of XACML Policy and XSLT/XPATH transforming technology, and then proposes the design and implementation of the transformation from database tables' form of RBAC-featured policy data to XACML form of it.Meanwhile,considering distributed management and quick query of XACML polices,this text further studies the design and implementation of XACML policy-storing solution through the deep research on LDAP protocol and DSML technology.Since both database tables' form and XACML form of policy data are structured data and can be easily expressed by XML, the text mainly uses XSLT/XPATH transforming technology to accomplish the transformation between two forms based on RBAC model.In the field of XACML policies' storing,this text proposes two solutions of how to distribute the XACML policy data on the LDAP server.First,a solution based on the RBAC profile of XACML policy.Based on the four types of policies included in the profile,four corresponding branches are created in the LDAP directory information tree, and each branch stores one type of policies.The whole content of one policy is stored as attribute value in some attribute of one entry. Second, a solution based on the XACML policy model. An element in an XACML policy corresponds to an entry in directory informaiton tree and an attribute corresponds to an attribute value in directory information tree. Therefore, an XACML policy is stored as many entries in LDAP server and these entries are structrued as a tree.This text studies the design of XACML Access Control System based on the XACML dataflow diagram, and the system's policy storing way depends on the second solution mentioned above.