Usable authorization policy languages and tools
Moritz Becker, Microsoft Research
Date and time: Thursday 6th December 2007 at 16:00
Location: UG40, School of Computer Science
Host: Mark Ryan
Managing the access control and authorization policy in a distributed, decentralized setting is a challenging task: each collaborating domain sets its own individual policy; these policies may be updated frequently and involve federated delegation, separation of duty and other complex constraints. Many existing authorization mechanisms lack expressiveness, are not formally specified and are hard to use. This talk will give an overview of our work on authorization policy at Microsoft Research Cambridge. I will discuss the design and implementation of SecPAL, a high-level language for specifying and enforcing decentralized authorization policies that strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. I will also describe how SecPAL and similar languages can be extended to express policies that depend on and update the state, and algorithms for computing effective permissions and for explaining access denials.