Refactoring access control policies for performance improvement

Donia El Kateb, Tejeddine Mouelhi, Yves Le Traon, Jeehyun Hwang, Tao Xie

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of reallife Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.

Original languageEnglish (US)
Title of host publicationICPE'12 - Proceedings of the 3rd Joint WOSP/SIPEW International Conference on Performance Engineering
Pages323-334
Number of pages12
DOIs
StatePublished - 2012
Externally publishedYes
Event3rd Joint WOSP/SIPEW International Conference on Performance Engineering, ICPE'12 - Boston, MA, United States
Duration: Apr 22 2012Apr 25 2012

Publication series

NameICPE'12 - Proceedings of the 3rd Joint WOSP/SIPEW International Conference on Performance Engineering

Other

Other3rd Joint WOSP/SIPEW International Conference on Performance Engineering, ICPE'12
Country/TerritoryUnited States
CityBoston, MA
Period4/22/124/25/12

Keywords

  • Access control
  • EXtensible access control markup language
  • Performance
  • Policy decision point
  • Policy enforcement point
  • Refactoring

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'Refactoring access control policies for performance improvement'. Together they form a unique fingerprint.

Cite this