SecPAL

From HandWiki

SecPAL is a declarative, logic-based, security policy language that has been developed to support the complex access control requirements of large scale distributed computing environments.[1][2][3][4]

Common access control requirements

Here is a partial-list of some of the challenges that SecPAL addresses:

  • How does an organization establish a fine-grained trust relationship with another organization across organizational boundaries?
  • How does a user delegate a subset of a user’s rights (constrained delegation) to another user residing either in the same organization or in a different organization?
  • How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies?
  • How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource?
  • How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?

Architecture

The SecPAL Research homepage includes links to the following papers which describe the architecture of SecPAL at varying levels of abstraction.[5]

  • SecPAL Formal Model ("Design and Semantics of a Decentralized Authorization Language") – Formal description of the abstract types, language semantics and evaluation rules that support deterministic evaluation in efficient time.
  • SecPAL Schema Specification – Specification describing a practical XML based implementation of the formal model targeted at supporting access control requirements of distributed applications
  • .NET Research Implementation of SecPAL – C# implementation, C# samples for common authz patterns, and comprehensive developer documentation and a getting started tutorial

Additional research

  • IEEE Grid 2007 - Fine Grained Access Control Using SecPAL[6]
  • SecPAL for Privacy[7][8]

References

  1. "SecPAL - Microsoft Research". http://research.microsoft.com/en-us/projects/secpal/. 
  2. "Microsoft Building Security Language for Grids". 13 September 2006. https://www.eweek.com/security/microsoft-building-security-language-for-grids/. 
  3. "Microsoft Invites Collaboration with Grid Computing Research". 30 April 2007. https://linuxinsider.com/story/microsoft-invites-collaboration-with-grid-computing-research-57147.html. 
  4. "Access Control in Grid Computing Environments". 7 May 2007. https://www.hpcwire.com/2007/05/07/access_control_in_grid_computing_environments/. 
  5. "Microsoft – Cloud, Computers, Apps & Gaming". http://www.codeplex.com/secpal. 
  6. Marty Humphrey (2007). "Fine-grained access control for GridFTP using SecPAL". 2007 8th IEEE/ACM International Conference on Grid Computing. International Workshop on Grid Computing: IEEE Xplore. pp. 217–225. doi:10.1109/GRID.2007.4354136. ISBN 978-1-4244-1559-5. https://ieeexplore.ieee.org/document/4354136. 
  7. M.Y. Becker (2010). "A Practical Generic Privacy Language". Information Systems Security. ICISS 2010. Lecture Notes in Computer Science. Lecture Notes in Computer Science. 6503. Berlin; Heidelberg: Springer. pp. 125–139. doi:10.1007/978-3-642-17714-9_10. ISBN 978-3-642-17714-9. https://doi.org/10.1007/978-3-642-17714-9_10. 
  8. "S4P: A Generic Language for Specifying Privacy Preferences and Policies". Microsoft. April 2010. https://www.microsoft.com/en-us/research/publication/s4p-a-generic-language-for-specifying-privacy-preferences-and-policies/.