Figure 1. Authorization Architecture
XML Access Control aims at providing XML documents with a sophisticated access control model and access control specification language. With this access control technology, the access control policies control how an XML document appears. The policies also insure the document is securely updated as specified by the security programmer.
Suppose there is an online catalog document written in XML that lists available goods sold on the Internet. Consider an access control policy such that only premium members can view the special discount price information in the document. When a regular member views the catalog, any information provided for the premium members should be hidden. XML access control is capable of specifying such fine-grained access control policies for XML documents.
XML Access Control Language (XACL) is an access control policy specification language that is a primary component of XML Access Control technology. Similar to existing policy languages, XACL is a language oriented around triplets of object, subject, and action. The subject primitive allows user IDs, groups and/or role names. The granularity of object reference is as fine as a single element within an XML document. The action primitive consists of four kinds of actions: read, write, create, and delete. Moreover, XACL provides the notion of provisional actions that means provisions attached to the access decision. Suppose a log provisional action is specified in the access control rule of "Alice is allowed to read the salary field". This basically means, "Alice is allowed to read the salary field, provided the access is logged." The provisional authorization model provides more flexibility in specifying access control policies than is possible with traditional object-subject-action based semantics.
Figure 1 shows the architecture of the provisional authorization model. We have two main modules: an access evaluation module and a request execution module. Given an access request to execute an action for a target XML document, an associated policy is enforced as follows:
We describe several usage scenarios for XML access control.
Suppose there is a personnel information system built for the Intranet of a certain company. Each employee has an user account and belongs to one or more organizational groups defined by security administrators. Whenever emplyees make accesses, they are authenticated. The overall system architecture is described in Figure 2. The system is mainly used by the people in the personnel department to browse some private information such as salary information as well as employee names. These personnel data are represented in XML format as ex2_target.xml. Since the salary information is categorized as "private", accesses to those sensitive information must be prevented from unauthorized accesses. Since employee names are classified as a lower security category, they can be accessed from broader set of people. This access control policy is represented as ex2_policy.xml also in XML format.
In this example, each initiator gets different view according to the access control policies and group definitions. XML access control is used to determine whether or not the initiator is allowed to read as fine as a single element within the personnel XML document.
This application simulates a typical review process for academic papers. This example illustrates how the XML access control is applied to a kind of Internet workflow applications that needs information sharing and/or updating among multiple participants who play different roles. The review process can be described as follows:
We simplify the above process and produce a review summary document. The overall system architecture is described in Figure 3. The summary document stores data such as author information and evaluation results. The following summary document (review_target.xml) includes paper submissions from authors Xerces, Stackman, and Dreamer. Each submission consists of <paper_title>, <paper_number>, <author>, <review>, <result>, and <confirmation> fields. The <paper_title>, <paper_number>, and <author> fields stores submission information. The <review> section is used by reviewers. The <result> field is written by chairperson. The <confirmation> field is automatically filled with "checked" when the author first read the result of their submission. These set of policies are described in review_policy.xml.
This scenario is based on the future Web Services world on the Internet. The Web Services provided by the Web services provider are registered in the Broker's repository in XML format. Users can find desirable service descriptions by submitting "find_business" message to the Broker. Broker returns appropriate service descriptions to the requester. The overoall system architecture is described in Figure 4. When returning the service description, the Broker uses the XML access control to enforce the access control policy. In figure 3, the GoodAgency obtains the service description for premium members of the Broker that includes free-dial number (1-800-123-...)while the SosoAgency obtains the service description for normal members.
