Jump to content

SecPAL

From Wikipedia, the free encyclopedia

SecPAL is a declarative, logic-based, security policy language that has been developed to support the complex access control requirements of large scale distributed computing environments.[1][2][3][4]

Common access control requirements

[edit]

Here is a partial-list of some of the challenges that SecPAL addresses:

  • How does an organization establish a fine-grained trust relationship with another organization across organizational boundaries?
  • How does a user delegate a subset of a user’s rights (constrained delegation) to another user residing either in the same organization or in a different organization?
  • How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies?
  • How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource?
  • How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?

Architecture

[edit]

The SecPAL Research homepage includes links to the following papers which describe the architecture of SecPAL at varying levels of abstraction.[5]

  • SecPAL Formal Model ("Design and Semantics of a Decentralized Authorization Language") – Formal description of the abstract types, language semantics and evaluation rules that support deterministic evaluation in efficient time.
  • SecPAL Schema Specification – Specification describing a practical XML based implementation of the formal model targeted at supporting access control requirements of distributed applications
  • .NET Research Implementation of SecPAL – C# implementation, C# samples for common authz patterns, and comprehensive developer documentation and a getting started tutorial

Additional research

[edit]
  • IEEE Grid 2007 - Fine Grained Access Control Using SecPAL[6]
  • SecPAL for Privacy[7][8]

References

[edit]
  1. ^ "SecPAL - Microsoft Research". research.microsoft.com. Archived from the original on 28 April 2016. Retrieved 12 January 2022.
  2. ^ "Microsoft Building Security Language for Grids". 13 September 2006.
  3. ^ "Microsoft Invites Collaboration with Grid Computing Research". 30 April 2007.
  4. ^ "Access Control in Grid Computing Environments". 7 May 2007.
  5. ^ "Microsoft – Cloud, Computers, Apps & Gaming". Archived from the original on 2009-11-06.
  6. ^ Marty Humphrey; et al. (2007). "Fine-grained access control for GridFTP using SecPAL" (Conference paper). 2007 8th IEEE/ACM International Conference on Grid Computing. International Workshop on Grid Computing: IEEE Xplore. pp. 217–225. doi:10.1109/GRID.2007.4354136. ISBN 978-1-4244-1559-5. S2CID 14763595.
  7. ^ M.Y. Becker; et al. (2010). "A Practical Generic Privacy Language". In S. Jha; A. Mathuria (eds.). Information Systems Security. ICISS 2010. Lecture Notes in Computer Science. Lecture Notes in Computer Science. Vol. 6503. Berlin; Heidelberg: Springer. pp. 125–139. doi:10.1007/978-3-642-17714-9_10. ISBN 978-3-642-17714-9. S2CID 17197217.
  8. ^ Mo Becker; Alexander Malkis; Laurent Bussard (April 2010). "S4P: A Generic Language for Specifying Privacy Preferences and Policies". Microsoft. Retrieved 14 February 2023.