Obligation policies: an enforcement platform

The use of policy-based mechanisms significantly reduces the complexity associated with application development and operation. In particular, history-based policies allow the system to base application access decisions on the evaluation of other actions executed in the past. Obligation-based policies enhance this concept with the possibility of enforcing that certain actions will be executed in the future. This is a necessary evolution because some semantics are either easier to express as obligations or cannot be specified using traditional authorization mechanisms. Currently, the absence of enforcement mechanisms for obligation-based policies imposes the implementation of ad-hoc functional constraints. This increases development time and introduces security vulnerabilities into the policy engine. We present a policy platform called Heimdall, which supports the definition and enforcement of obligation-based policies. A prototype implementation is described, together with an evaluation which denotes encouraging results.