Elimination of policy conflict to improve the PDP evaluation performance

Abstract

In the authorization access control model, the Policy Decision Point (PDP) may make an inappropriate authorization decision or the operating efficiency of the network and information system may be influenced, because there might be conflicts in the policies loaded on the PDP. As a result, the PDP's evaluation performance is affected when it evaluates access requests. In order to detect and eliminate conflicts in a policy and achieve the goal that the PDP can evaluate access requests with high efficiency, a form conflict detecting and eliminating engine is presented. This engine can not only detect and eliminate form conflicts in a policy, but also evaluate access requests. In the form conflict detecting and eliminating engine, a Resource Index Tree is constructed to convert the rules in a policy defined by the XACML to the node information in the Resource Index Tree. On the basis of the dependent relationship of resources, the overlapping relationship of conditions and effect information, form conflicts in a policy are detected and eliminated. Experiments make comparisons of the evaluation performance of the form conflict detecting and eliminating engine with that of the Sun PDP, as well as XEngine and SBA-XACML. Experimental results show that the evaluation performance of the PDP can be greatly improved by eliminating form conflicts in the policies.