Dynamic obligation specification and negotiation

OASIS XACML has become a recognized standard for the specification of access control policies, and has specified a generic framework for access control. While the XACML policy language is very flexible for access privileges, there is currently no method to specify the obligations send from a policy decision point (PDP) to a policy enforcement point (PEP) in a generic way. Potential conflicts between obligations are not even considered in the language specification, thus no generic detection of these conflicts is possible. But this becomes an important aspect in a distributed environment like SaaS, in which the policies and their enforcement are not coordinated by a single entity. In this paper we will present a dynamic obligation specification language which covers the following aspects. First, it allows us to define the actual obligation and its parameters including the relationship, especially conflicts among them. Second, the negotiation of the supported obligation between distributed PDP and PEP is introduced. Third, potential conflicts are detected and partially solved at runtime based on the definition of the obligations. We show how the introduced extensible obligation markup language (XOML) could be integrated into the XACML standard.