Policy Management Using Access Control Spaces
  by Trent Jaeger, Xialan Zhang, Antony Edwards
  in SACMAT 2002 and ACM TISSec 2003

Summary
=======

Acess control models have two major goals: (1) authorize permissions
(i.e., rights of subject to act on objects) (2) ensure the safety of the
system (i.e., no permissions allow compromise of security goals).

Specifying policies is difficult.  Constraints are often used as the
mechanism to ensure safety, and are often done using predicate logic.
The authors reaason that predicate logic is hard for administrators to
work with (after all, most are not cs researchers).  Also constraints
are not fail-safe - what happens when some are missing.  Also there is a
trade-off in policy complexity when using either fine- or coarse-grained
authorizations.  Often, the former leads to many rules, while the latter
leads to many conflicts (e.g., between the broad authorizations and
constraints).

An Access Control Space is the set of all possible permissions for a
given subject.  These permissions fit into three broad subspaces:
Specified, Prohibited, Unknown.  Permissions that are specified are
inferred directly from the set of permissions in the policy.
Permissions that would lead to a violation of a contrain are considered
to be Prohibitied.  And permissions that are neither Specified nor
Prohibited are Unknown.  There are two other spaces that they introduce
- Obligated and Permissible.  The Obligated subspace is similar to the
Prohibited subspace in that it is done through constraints, but these
are for permissions that a subject MUST have.  From what we came up with
during the seminar, the Permissible subspace consists of those
permissions that an administrator would think is okay when presented
with them, but these permissions may not actually be implemented in the
policy (and some Specified permissions from the policy may not be in his
set of Permissible).

The aim of this paper is to use Access Control Spaces to 1) find missing
contraints using the Unknown subspace, and 2) help balance the number of
rules vs. the number of conflicts so as to simplify the policy.  Notice
that if all there is no Unknown space, then a policy is completely
specified, but this often leads to a lot of rules and contraints (not
all rules/constraints address the same amount of the Access Control
Space).

They offer that conflicts can be broken down into broad types, and
handled differently for each type.  For example, doctors are allowed to
view data of their patients, but not of the administration.  What about
non-patients?  It is unkonwn here.  But we could allow doctors access
anyway, and raise a flag so the hosiptal can audit this access.

They also suggest metric that can be used to estimate the complexity of
a policy.  Let s = #specifications (all rules, roles, permissions,
contraints, etc) and c= average % Unknown space for all subjects.  Then
might s/c be the number of specifications required to completely
eliminate the Unknown space?  This requires that all specifications
(especially the last few added) address the same amout of the space as
others.  This seems very unlikely in general.  However, if we have two
policies that each have the same average Unknown space (c), then is
seems reasonable that the simpler policy will have less specifications
(s).

In general, we agreed that Access Control Spaces would be useful to help
find missing contraints.  However, we were more skeptical about how it
may ease the process of making policies simpler.  First, how will
conflict handlers get mapped into a real system?  Yes, they are generic
and easy to reason about with their tool, but it seems like this
relationship will probably be more complicate in the actual mechanisms
moderating accesses.  They suggest making polices with broad strokes for
the authorizations and constraints, then iterating through removing
conflicts and shrinking the unknown space appropriately.  There is no
backing that this will lead to simpler policies.  Maybe first a
relatively complicated policy could be made that has the correct set of
authorizations and constraints.  Then from here the admin can experiment
with "simpler" policies, trying to get the easier ones to match
subspaces with the correct one.  Or maybe it may not even be that
beneficial to make a working policy simpler... newbies to the policy can
experiment with it using their tool, and thus become more familiar with
it through practice.

Votes
=====

16 Accept
6  Weak Accept
1  Weak Reject
0  Reject