关键词: 可扩展的访问控制标记语言（XACML）, 策略管理, 策略冲突, 冲突检测, 冲突消解

Abstract: XACML (extensible access control markup language) based access control technique is more and more widely used in cloud computing services. Some security problems caused by improper XACML policies, such as policy conflict and policy redundancy, are emerging. Few studies are carried out on policy conflict resolving. The existing methods can only solve conflicting rules one by one, which is not suitable for large scale cloud computing environments. To address this problem, this paper enhances the old methods of conflict detection, and presents a novel method to resolve multiple conflicts once for all. This method maps the access control rules into N-dimension space that each dimension represents an attribute, unifies the comprehensive definition of attribute conditions into several types of primitive attribute sets, and detects conflicts and redundancies by calculating the intersections of simple sets. In the policy conflict resolving algorithm, a directed acyclic graph (DAG) is used to present all conflicts, and the topology order is calculated as the priority of conflicting rules. The rules after conflict resolving are constructed according to the order of priority, to complete the one-time resolution of a large number of conflicts. Finally, the experimental results demonstrate that the algorithm is correct, feasible and efficient.

Key words: extensible access control markup language (XACML), policy management, policy conflict, conflict detection, conflict resolving