Rules markup for automatic deployment of information security policies

Abstract

Information security policies define directive principles for information security management. These policies must be implemented in access control models. Role-Based Access Control (RBAC) is a paradigm, with which security policies can be developed from the perspectives of executive officers. Because "role" is tile core part of organizational dynamics, RBAC can provide a vision of adaptive information security management. In organizations, rights are assigned to proper roles and users (employees) are assigned responsibilities of certain roles. With the RBAC model, the function of information and network security can be managed in a flexible way, and better meet tile needs of doing business. XML (eXtensible Markup Language) offers a standard mean for information exchange, and must also be applicable to the exchange of definitions and contents of ACl for distributed applications. In this paper, we propose a classification of rules, which are the base of setting information policies. We also provide two sets of languages in XML: AML (Authorization Markup Language) to formulate these rules, and AUCL (AUthorization Code Language) to express access control information.