XACML Policy Profile for Multidomain Network Resource Provisioning and Supporting Authorisation Infrastructure

Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the proposed XACML-NRP policy and attributes profile for network resource provisioning. In addition to specifying a set of subject, resource, action attributes that are required for consistent XACML policy definition, the proposed profile allows also handling network path information what is especially important for QoS enforcement. To overcome stateless character of XACML policies, the proposed authorisation infrastructure provides a number of security mechanisms to support such important for NRP functionality as authorisation session and interdomain security context management, simple delegation, conditional authorisation decisions, and policy obligations handling.