Managing access control policies using access control spaces
Abstract
We present the concept of an access control space and investigate how it may be useful in managing access control policies. An access control space represents the permission assignment state of a subject. We identify subspaces that have meaningful semantics. For example, the set permissions explicitly assigned to a subject defines its specified subspace, and constraints define the prohibited subspace. In analyzing these subspaces, we identify two problems: (1) often a significant portion of the access control space has unknown assignment semantics, meaning that it is not defined whether an assignment in this space should be permitted or not, and (2) often high-level assignments and constraints that are easily understood result in conflicts where permissions are both specified and prohibited. To solve these problems, we have developed a tool, called Gokyo, that enables definition and analysis of access control spaces. Gokyo computes the unknown subspace to show system administrators the ambiguous region and enable them to reduce it. Gokyo identifies conflicting subspaces and enables system administrators to handle subspaces as exceptions, if desired. We demonstrate the utility of Gokyo by analyzing a web server policy example.