SecPAL - Access Control for Grid Computing Environments

It has probably been around 9 months since my last blog release where I described the release of our ASMX Service Factory. A lot has obviously happened since then - including the release of both WCF and the WCF Service Factory. So what have I been doing since that time?

Well, around 9 months ago I was offered the opportunity to work on a project called SecPAL (SecPAL stands for the Security Policy Assertion Language) within a research and incubation team inside Craig Mundie’s organization. SecPAL is a policy language that has been developed to support the complex access control requirements of large scale grid computing environments.

So what kinds of challenges are we focusing on? Here is a partial-list of some of the challenges that SecPAL addresses:

  • How does an organization establish a fine-grained trust relationship with another organization across organizational boundaries?

  • How does a user delegate a subset of a user’s rights (constrained delegation) to another user residing either in the same organization or in a different organization?

  • How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies?

  • How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource?

  • How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?

If any of these challenges seem familiar, or if you are interested in learning more about SecPAL and how SecPAL solves these challenges you should take a look at our Microsoft Research home page which is located at: The SecPAL Research homepage includes links to the following papers which describe the architecture of SecPAL at varying levels of abstraction.

  • SecPAL Formal Model ("Design and Semantics of a Decentralized Authorization Language") – Formal description of the abstract types, language semantics and evaluation rules that support deterministic evaluation in efficient time.

  • SecPAL Schema Specification – Specification describing a practical XML based implementation of the formal model targeted at supporting access control requirements of distributed applications

  • .NET Research Implementation of SecPAL – C# implementation, C# samples for common authz patterns, and comprehensive developer documentation and a getting started tutorial

The .NET Research Implementation and SecPAL Schema Specifications were posted recently - just prior to TechFest. The .NET implementation is deliberately labeled a “research” release because we are interested in collaborating with security researchers and security thought leaders as they evaluate SecPAL against their access control requirements. This research release is definitely not intended to be viewed or used as product.

If you are interested in learning more about SecPAL I encourage you to first take a look at the whitepaper entitled “A Unified Approach to Trust, Delegation, and Authorization in Large-Scale Grids” also located on our research homepage, and then download our .NET Research Implementation and evaluate SecPAL against your requirements.

The .NET Research Implementation includes substantial developer documentation, including both a getting started tutorial as well as 15 common authorization patterns along with SecPAL implementations. If you don’t see something that meets you requirements, or you have suggestions or comments we would love to hear from you on community workspace. See

Over the next couple of weeks I will also create some additional blog entries walking you through some of the authorization patterns that we have developed, hopefully providing more insight into how SecPAL works.