Resolving XACML Rule Conflicts using Artificial Intelligence.

The XACML access control policy specification language provides a simple rule/policy combining algorithm that is invoked when a request is evaluated against a particular policy set, and the results of the policy decision point (PDP) include solutions with both "permit" and "deny" effects. In short, the combining algorithm allows the policy writer to specify which effect should prevail in case of such conflicts. This feature has long been considered as misleading, and a wide variety of research has been done in an attempt to extend it using supplementary language features or algorithms based on priority definitions. We propose a new algorithm that, instead of absolute priorities expressed as numbers, is based on relative priorities that do not use numerical scales. Two kinds of annotations need to be added to policies, one that says if the value of an attribute is sensitive and another that provides information that can be used to determine which attribute is most important in the case when several sensitive values are encountered during the processing of attribute values in a request. This information serves as input to our decision making mechanism, designed to respect the user-specified priorities as best as possible.