A Non-Technical XACML Target Editor for Dynamic Access Control Systems

XACML is a powerful and flexible access control (AC) policy language. It is an OASIS standard that is now widely used in a variety of applications, particularly those that require interoperability between AC systems. The language definition includes a precise grammar, syntax, and semantics, and it is both expressive and verbose. This combination of expressive power and verbosity can lead to difficulty in understanding the language's syntax and semantics for both technical and nontechnical users alike. As a result, reducing the difficulty of editing XACML policies has become an intense area of research. In our own work in this area, we previously showed how to render complex XACML conditions using a non-technical display notation and showed that it is easy to use this notation with interactive plain text editors that do not require any technical coding. Although XACML conditions are expressive and flexible, XACML targets are actually the most commonly used XACML language construct. They have an additional level of complexity, especially in version 3.0, due to the fact that the form and kinds of XACML constructs allowed in targets is much more limited. This paper extends our previous work, showing how the same powerful and flexible interactive editing principles can be applied to targets in order to allow users to use natural logic rather than implementation logic. We extend these principles and fully integrate them into our editing tool, easyXACML. This tool is usable by users with no technical knowledge of XACML, thus making XACML totally transparent to the user, while still retaining all of its functionalities and semantics. Our tool thus allows users to focus on policy logic rather than on details of syntax. As a result, the risk of errors in policies is greatly reduced.