A Conflict Detection Approach for XACML Policies on Hierarchical Resources

Organizational collaborations consider specifying the access control policies of the resources in collaborations by XACML(eXtensible Access Control Markup Language). This gives rise to two problems, one is that the XACML policies used in collaborations will possibly have conflicts with the original policies of the organization, the other problem is that many organizations have a large number of resources, while these resources are organized into hierarchical structure. These two problems make it a challenge to detect the conflicts on a large number of resources. In this paper we will present an assumed pattern of organizational collaboration on which our conflict detection approach is based. We will propose a model checking based approach to detect the conflicts between original XACML policies of an organization and target XACML policies of an organizational collaboration. We handle two sorts of conflicts in XACML policies, i.e. authorization conflict of roles and conditional conflicts on resources. Our detection approach and the performance test results will be presented in this paper.