Overriding of Access Control in XACML

Alqatawna, Ja´far and Rissanen, Erik and Sadighi, Babak (2007) Overriding of Access Control in XACML. In: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 13-15 June 2007, Bologna, Italy.

Full text not available from this repository.


Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the eXtensible Access Control Markup Language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.

Item Type:Conference or Workshop Item (Paper)
Additional Information:DOI 10.1109/POLICY.2007.31
ID Code:2778
Deposited By:Vicki Carleson
Deposited On:18 Mar 2008
Last Modified:18 Nov 2009 16:14

Repository Staff Only: item control page