SecPAL

Here is a partial-list of some of the challenges that SecPAL addresses:

• How does an organization establish a fine-grained trust relationship with another organization across organizational boundaries?
• How does a user delegate a subset of a user’s rights (constrained delegation) to another user residing either in the same organization or in a different organization?
• How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies?
• How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource?
• How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?

The SecPAL Research homepage includes links to the following papers which describe the architecture of SecPAL at varying levels of abstraction.

• SecPAL Formal Model ("Design and Semantics of a Decentralized Authorization Language") – Formal description of the abstract types, language semantics and evaluation rules that support deterministic evaluation in efficient time.
• SecPAL Schema Specification – Specification describing a practical XML based implementation of the formal model targeted at supporting access control requirements of distributed applications
• .NET Research Implementation of SecPAL – C# implementation, C# samples for common authz patterns, and comprehensive developer documentation and a getting started tutorial

• IEEE Grid 2007 - Fine Grained Access Control Using SecPAL - http://www.cs.virginia.edu/~humphrey/papers/GridFTP_SecPAL_2007.pdf
• SecPAL for Privacy - https://www.sec.in.tum.de/~malkis/BeckerMalkisBussard-APracticalGenericPrivacyLanguage.pdf, https://www.sec.in.tum.de/~malkis/BeckerMalkisBussard-S4P-AGenericLanguageForSpecifyingPrivacyPreferencesAndPolicies.pdf