Over the last years, organizations have been using an increasingly large number of applications. The applications used by organizations span from general applications which o er customer relationship management, sales and payroll support to industry-speci c applications such as computer-aided design applications. Moreover, applications are becoming more complex and organizations are preparing their systems to serve both internal as well as external users. This has an impact on both scale and diversity of the user base. These trends pose challenges, not in the least for application security.

One of the techniques to enforce application security is access control. Access control regulates actions performed on objects by subjects (e.g. users). Access control is usually considered in three parts: authentication identi es a subject, authorization determines whether the subject is entitled to perform a certain action and audit aims at the monitoring of the performed actions.

One of the challenges of access control is manageability. Manageability of access control includes user management and management of policies. How policies are implemented is largely determined by the underlying access control model and can span from simple access control matrices to lists of complex rules.

The growing complexity and scale mentioned earlier are making manageability of access control increasingly challenging. For example, economic analysis of role-based access control { which is used extensively in practice [ 1 ] { suggests that role engineering and the mapping of permissions and users to roles remain the most signi cant adoption expenses for organizations [ 1 ]. Moreover, the number of applications used by organizations is continuously expanding. This makes it di cult to consistently specify an organization-wide security policy, as this security policy is left scattered amongst application-speci c access control policies. Such an organization-wide policy speci es the organization's requirements with regard to access control on a high level. It may be implicitly or explicitly de ned. The separated management of policies for each of the applications may lead to inconsistencies with regard to the organization-wide policy, as the high-level rules need to be translated manually to the policy of each of the applications.

In the context of this PhD project, we want to improve the manageability of access control with regard to policies and entitlements of users. To address this challenge, we propose re ning organization-wide policies to application-speci c policies. These organization-wide policies are explicitly speci ed, and can apply to several applications. This paper describes both challenges as well as objectives which will help to achieve the goal of the PhD project.

The paper is organized as follows: First, we discuss the state-of-the-art and state-of-practice in Section 2. Next, Section 3 identi es the challenges. In Section 4, we describe the objectives of this PhD project. Section 5 discusses the approach to achieve these objectives. In Section 6, we conclude the paper.

Access control restricts the actions of subjects on objects by means of rules. Separating these rules from the application into policies can increase manageability.

This extracts the access control logic from the application logic. Ideally, the entire access control mechanism, except for the actual enforcement point, is separated from the application [ 2 ]. This o ers several bene ts. First, it enables application developers to focus on business logic. Second, it enables security administrators to specify access control mechanisms tailored to their needs. Third, it facilitates fully centralized management of all policies of an organization.

Besides decoupling the rules from the application they protect, manageability is also largely in uenced by the access control model employed by the application. Over the last decades, several access control models have been proposed [ 2 ]. Examples include Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Role-Based Access Control (RBAC). All of these models approach the manageability problem of security policies in a di erent manner. For example, Role-Based Access Control [ 3 ] (RBAC) provides scalable manageability by means of roles. A role serves as an indirection between subjects on the one hand, and permissions on the other. RBAC also o ers support for hierarchies of roles and separation of duty concepts.

RBAC has been widely adopted for access control management [ 1 ]. However, the de nition of RBAC policies can also introduce a few problems. These include a lack of expressiveness, which results in role explosion [ 4 ]. Role explosion is the rapid growth of roles related to distinct properties which are combined to obtain disjunct sets of permissions. For example, an organization which regulates access based on seniority and department would quickly experience these e ects. As a result, there have been initiatives to increase management of the speci ed roles (amongst others [ 5 ]). Also, several attempts have been made to reduce problems related to expressiveness by means of RBAC extensions [ 6, 7 ].

Attribute-Based Access Control [ 4 ] (ABAC) generalizes these extensions. ABAC is an access control mechanism in which attributes, related to subjects, objects, actions and environment are used to limit access. These attributes can be seen as (key, value) pairs that can be assigned to the entities by administrators or be derived from external sources. Using attributes, ABAC can increase expressiveness by de ning access control policies, which prevents role explosion [ 4 ]. 3

An organization-wide policy speci es the organization's requirements with regard to access control on a high level. It is present either explicitly (serving as a guideline for application policy speci cation) or implicitly (re ected only by the application policies) in the organization. As the number of applications used by an organization grows, it becomes increasingly complex to manage the organization-wide security policy, as it is left scattered amongst applicationspeci c access control policies. This makes it harder to consistently manage organization-wide policies. For example, consistently de ning an organizationwide policy that requires interim personnel to be employed for at least a month in order to be able to modify anything in any application becomes more di cult as the number of applications increases. Also, special access control concepts such as separation of duty over several applications can become more di cult to specify consistently when the number of applications grows.

As discussed previously, ABAC can enable organizations to de ne more expressive policies. As a result, ABAC can reduce role explosion [ 4 ], which can be a strain on access control manageability. However, it may also reduce manageability [ 8 ]. The administrative simplicity with respect to RBAC is quickly lost when policies involve more attributes. It also becomes more di cult to inspect the permissions of a certain subject [ 9 ].

Hence, there is a need for high-level abstractions over the attribute-based policies, o ering better manageability over the security policy. These high-level abstractions should support the de nition of a policy that spans over several applications, such as restricting access of interim employees during the rst month. This involves the separation of the policy from the application that enforces it. 4

In order to tackle the challenges described above, we propose two objectives: exploring management possibilities through the de nition and re nement of organization-wide policies and the mapping of these policies to applications.

We intend to approach the objectives by rst performing case studies on (a) a document processing platform and (b) an automated work ow platform. The analysis of the security model of both case studies provides a useful insight into the complexity of the application-speci c policies that we intend to abstract to. We will leverage on this analysis to specify a generic solution which supports abstraction over all applications.

Our goals will be validated by the speci cation of organization-wide policies which are re ned to application-speci c policies. Next, we will perform a thorough evaluation on the result. A rst evaluation will measure the e ort that is needed in order to reuse the organization-wide security policy for di erent applications. This explores how much additional con guration is necessary in order to support similar applications. Secondly, the evaluation will determine how e ectively it increases manageability with regard to re nement. More speci cally, we will evaluate how e ectively our solution supports translation of a organizationwide security policy into application-speci c policies. For example, we evaluate how organization-wide policies such as the example in Figure 1 can be de ned, and how much application-speci c con guration (such as setting up the mapping to the security model) this requires. As such, we can compare the administrative overhead induced by application-speci c policy de nition with the e ort of organization-wide security policy speci cation. This also enables us to analyse to which extent the technique supports consistent management of security policies.

As a rst step in this PhD, we have looked at how XACML policies can be re ned to RBAC. Next, we will look at a generic way for representing the security model of an application with regard to access control. We then investigate how organization-wide policies can be structured to support improved management.

In this paper, we motivated the requirement for an increased manageability of access control. We introduced a series of challenges to manageability in access control and discussed the objectives to this PhD project that will address them. By achieving the provided objectives, we hope to improve the current state-ofthe-art in manageability techniques. This will reduce the costs related to the manageability of both security policy as well as user management. Acknowledgements This research is partially funded by the Research Fund KU Leuven, and by the EU FP7 project NESSoS. With the nancial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).