SecPAL is a declarative, logic-based, security policy language that has been developed to support the complex access control requirements of large scale distributed computing environments.
Common access control requirements
Here is a partial-list of some of the challenges that SecPAL addresses:
- How does an organization establish a fine-grained trust relationship with another organization across organizational boundaries?
- How does a user delegate a subset of a user’s rights (constrained delegation) to another user residing either in the same organization or in a different organization?
- How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies?
- How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource?
- How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?
Architecture
The SecPAL Research homepage includes links to the following papers which describe the architecture of SecPAL at varying levels of abstraction.
- SecPAL Formal Model ("Design and Semantics of a Decentralized Authorization Language") – Formal description of the abstract types, language semantics and evaluation rules that support deterministic evaluation in efficient time.
- SecPAL Schema Specification – Specification describing a practical XML based implementation of the formal model targeted at supporting access control requirements of distributed applications
- .NET Research Implementation of SecPAL – C# implementation, C# samples for common authz patterns, and comprehensive developer documentation and a getting started tutorial
Additional research
- IEEE Grid 2007 - Fine Grained Access Control Using SecPAL
- SecPAL for Privacy
References
- "SecPAL - Microsoft Research". research.microsoft.com. Archived from the original on 28 April 2016. Retrieved 12 January 2022.
- "Microsoft Building Security Language for Grids". 13 September 2006.
- "Microsoft Invites Collaboration with Grid Computing Research". 30 April 2007.
- "Access Control in Grid Computing Environments". 7 May 2007.
- "Microsoft – Cloud, Computers, Apps & Gaming". Archived from the original on 2009-11-06.
- Marty Humphrey; et al. (2007). "Fine-grained access control for GridFTP using SecPAL" (Conference paper). 2007 8th IEEE/ACM International Conference on Grid Computing. International Workshop on Grid Computing: IEEE Xplore. pp. 217–225. doi:10.1109/GRID.2007.4354136. ISBN 978-1-4244-1559-5. S2CID 14763595.
- M.Y. Becker; et al. (2010). "A Practical Generic Privacy Language". In S. Jha; A. Mathuria (eds.). Information Systems Security. ICISS 2010. Lecture Notes in Computer Science. Lecture Notes in Computer Science. Vol. 6503. Berlin; Heidelberg: Springer. pp. 125–139. doi:10.1007/978-3-642-17714-9_10. ISBN 978-3-642-17714-9. S2CID 17197217.
- Mo Becker; Alexander Malkis; Laurent Bussard (April 2010). "S4P: A Generic Language for Specifying Privacy Preferences and Policies". Microsoft. Retrieved 14 February 2023.
Microsoft Research (MSR) | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Main projects |
| ||||||||||||||
MSR Labs applied research |
| ||||||||||||||
Category |