Specification and Enforcement of Activity Dependency Policies using XACML
Tanjila Mawla, Maanak Gupta, Ravi Sandhu
TL;DR
The paper tackles the challenge of enforcing continuous, dependency-aware access control for long-running device activities in interconnected systems by extending $XACML$ to support activity-dependent policies ($XACML_{AD}$). It introduces new policy constructs, notably ProvisionalActions, to specify necessary state updates of dependent activities and integrates these into a complete policy enforcement architecture (PAP, PRP, PDP, PEP, CH, PIP, Obligation Service). Through a prototype implementation in Python with a JSON-based XACML profile, the authors demonstrate end-to-end policy evaluation, including ongoing dependency checks and provisional updates, and report millisecond-scale performance improvements suitable for real-time operation. The contributions provide a formalized, scalable approach to continuous policy evaluation across activity life cycles, with practical relevance to smart farming, manufacturing, and other IoT domains, while outlining avenues for extending depth of dependency chains and recursive updates in future work.
Abstract
The evolving smart and interconnected systems are designed to operate with minimal human intervention. Devices within these smart systems often engage in prolonged operations based on sensor data and contextual factors. Recently, an Activity-Centric Access Control (ACAC) model has been introduced to regulate these prolonged operations, referred to as activities, which undergo state changes over extended duration of time. Dependencies among different activities can influence and restrict the execution of one another, necessitating active and real-time monitoring of the dependencies between activities to prevent security violation. In the ACAC model, the activity dependencies, denoted as "D", is considered as a decision parameter for controlling a requested activity. These dependencies must be evaluated throughout all phases of an activity's life cycle. To ensure the consistency of access control rules across diverse domains and applications, a standard policy language is essential. We propose a policy framework adapting the widely-used eXtensible Access Control Markup Language (XACML) , referred to as $\mathrm{XACML_{AD}}$, to specify the activity dependency policies. This work involves extending the syntax and semantics of XACML by introducing new elements to check dependent activities' states and handle state updates on dependent activities. In addition to the language extension, we present the enforcement architecture and data flow model of evaluating policies for activity dependencies. The integration of the proposed $\mathrm{XACML_{AD}}$ policy framework and the enforcement of the policies supports dependency evaluation, necessary updates and continuous enforcement of policies to control an activity throughout its life cycle. We implement the enforcement architecture exploiting the $\mathrm{XACML_{AD}}$ policy framework and discuss the performance evaluation results.