Research On Checking And Digesting Policy Conflicts Under Multi-Policy Environments

Access control technology protects the security of application system by developing a control strategy. Its main purpose is to protect system resources from unauthorized user access, or unauthorized access by legitimate users. However, a number of access control policies may cause different authorization result because they are made for different reasons. These inconsistencies will lead to policy conflicts. If there is a policy conflicts in the system, it will lead to a policy failure. When there are a large number of policy conflicts, much system resources would be expended and even a system crash would happen.Policy conflict has been deeply studied at home and abroad. Most of these studies utilize policy description language to descript the access control policy and resolves issues such as conflict detection and resolution by logistic reasoning. However, these studies always focus on the policy conflict in a single access control model. Sometimes, the policy requirement is more complex and a variety of policies in different access control models are needed. a Policy Conflict Detection and Resolution model under the multi-policy Environments is carefully discussed in this paper. The main propose of the model is to solve the policy conflict detection and resolution problem while the system is controlled by multi-strategy under different access control model. The conflict detection problem is translated to the common connected nodes problem in directed graph model by establishing a subject domain directed graph model and an object domain directed graph model. Then a novel policy conflict resolution method is mentioned, which is the combination of the digestion policies. As a kind of policy conflict, inconsistency conflicts may arise when security policies and availability policies co-exist in a system. An approach for the resolution of inconsistency conflicts based on the priority of policy is proposed. By using this approach, inconsistency conflict could be resolved efficiently and effectively when the number of policies is not very large.Finally the prototype Module of this research which is one part of the tag library supporting multi-policies was completed.