About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Publication
SAC 2016
Conference paper
Detecting indirect conflicts between access control policies
Abstract
Access control policies permit, prohibit or oblige subjects to perform actions on resources. In systems where multiple policies are described, conflicts among such policies can arise. Two policies are in conflict when the fulfillment of one policy violates the other and vice-versa. On the one hand, direct conflicts are detected by observing the overlap of policy elements (i.e., subjects, actions and objects). On the other hand, indirect conflicts can only be detected when implicit relationships between subjects, objects and actions of two policies are analyzed. This paper presents several relationships that can be used between the elements of the policies together with their propagation rules and conflict detection rules. The propagation rules propagate policies applied to an organization, entity or object to other organizations, entities or objects related to it. The conflict rules are used to check for conflicts between pairs of policies by taking into account the relationships between the elements of the policies.