International journal of computer science & information Technology (IJCSIT) Vol.2, No.5, October 2010 DOI : 10.5121/ijcsit.2010.2505 65          Kamalbir Singh and Sarbjeet Singh Computer Science and Engineering, Panjab University, Chandigarh, India kamalbirsingh@hotmail.com , sarbjeet@pu.ac.in ABSTRACT The evolution of distributed computing technologies like grid computing, peer-to-peer computing, pervasive computing, ubiquitous computing, autonomic computing, cloud computing etc. has led to the development of complex virtual systems. These systems enable sharing of resources and services distributed over geographically dispersed, heterogeneous, autonomous administrative domains and allow one to efficiently perform a compute or storage intensive task by harnessing the features available over other domains. The resources and services provided by service providers are generally protected by complex access control policies. These access control policies are expressed using policy specification languages. One of the popular, exhaustive and feature rich access control policy specification language is XACML, which is an OASIS standard also. The XACML policies are specified either manually or using automated XACML policy specification tools. Among major problems that policy administrators face is the problem of conflict policies. Conflict policies can have serious consequences and may lead to unauthorized access. This paper presents the design, implementation and evaluation of a conflict policy detection mechanism that can be used by policy administrators to proactively detect conflict XACML policies present in a policy database. This saves administrators and initiators of job from unnecessary problems arising due to presence of conflicts. The mechanism presented is simple, scalable, efficient and can be used to detect policies conflicting with respect to subject, resource, and action attributes. The mechanism has been evaluated by simulating a distributed policy based authorization and XACML access control system. A number of conflict policies of different nature have been injected in the policy database and conflicts have been identified through proposed XACML conflict policy detection algorithm. The implementation results show that the mechanism efficiently detects conflict policies having conflicts with respect to subject, resource and action attributes. This demonstrates that the approach is workable and can be used to detect conflict policies among a set of XACML policies. KEYWORDS XACML, Access Control Policies, Conflict Policies, Policy-based Authorization Framework 1. INTRODUCTION A large scale distributed system is an interconnected set of heterogeneous autonomous systems that cooperatively solve a large problem. The problem is generally divided into a number of independent tasks that are executed in parallel or distributed over different nodes around the system for individual processing. These heterogeneous autonomous administrative domains, which are part of the distributed system, use and provide resources that can be shared among different members of the distributed system based on their authorization status and their conformance to established policies. Distributed systems can be categorized as Distributed Computing Systems and Distributed Information System [1]. A Distributed Computing System is used for high performance computing. Here the emphasis is on integrating and exploiting compute power of different machines available over the system. A Distributed Information System is used to manage huge information / large databases with emphasis on interoperability. This class has its applicability