Easy Expression of Authorisation Policies

Lead Research Organisation: University College London
Department Name: Computer Science

Abstract

The primary purpose of this 20 month long project is to allow Gridmanagers to be able to specify the authorisation policy for access totheir Grid computing resources through the use of controlled naturallanguage. The policy tool will parse the policy, interpret it, and store it in its own internal representation, using a model and ontologydeveloped at the start of the research. The policy tool will prompt themanager to clarify any unclear terms (e.g. what is Fred? Is it afilename or a username?), resolve any ambiguities, and once this hasbeen done will print the policy out in similar natural language, usingwording as near to the original input language as possible. This willallow the manager to see if the computer has fully understood hispolicy, but if not, the manager will need to edit his policy andresubmit it, until the computer's version is identical in meaning to his own. Finally, the tool will compile the policy into two existing XML authorization policy languages (XACML and PERMIS) so that the policy can be automatically fed into existing Grid authorization engines (policy decision points). In this way, we can be assured that the policy that is implemented is the one that the manager intended it to be.

Publications

10 25 50
publication icon
Bartsch S (2012) Guiding decisions on authorization policies

publication icon
Bartsch S (2013) How Users Bypass Access Control - And Why: The Impact Of Authorization Problems On Individuals And The Organization in European Conference on Information Systems (ECIS) 2013 Completed Research

publication icon
Chadwick (2008) Expressing Security Policies in Natural Language

publication icon
Inglesant P (2008) Expressions of expertness

publication icon
N/a Chadwick (2006) The Virtuous Circle of Expressing Authorization

publication icon
N/a Inglesant (2008) Dr. PERMIS, or: How I Learned to Stop Worrying and Love Access Control (submitted for review)

 
Description The UCL contribution to the project was to evaluate the authoring tools developed by the project partners at UKC, identify why untraned users struggle with the authoring tool, and why, and identify a route to more accessible access control. We found that natural language support leads to a limited improvement in authoring of correct policies, but takes a significant amount of time. We also found that the root of the problem is that untrained users have difficulty to abstract from specific cases to classes of roles and resources.
Exploitation Route Access control was traditionally carried out by people with a significant amount of technical expertise - system administrators. Since system administrators are an expensive resource, and the number of resources which need access control protection has been increasing rapidly, access control is now typically handled by people with lilttle or no technical expertise or training. This also applies to consumers - for instance when setting privacy policies on social networking sites. We have buiilt on the findings from this project to study access control problems in a major Criitical National Infrastructures company, as part of a TSB-funded project Trust Economics (2008-2011), and identified ways of providing more flexible access control.
Sectors Digital/Communication/Information Technologies (including Software)
URL http://hornbeam.cs.ucl.ac.uk/hcs/projects/eeap.html