Multi-user authorization for simultaneous collaborative situation analysis workspaces using XACML

Multi-user applications where two or more users are interacting with the same system through a shared interface e.g., large presentation touchscreens in meeting rooms to do situation analysis in a civil security context are becoming more and more frequent. Whilst traditional single user authorization scenarios seem to be a solved problem and there are some existing solutions for collaborative multi-user applications with a separate devices per user, methods for multi-user authorization, where a single device is in simultaneous usage, come with a set of new questions. It must be considered that several users work simultaneously on the same physical device so there is no way to create a separate view for every user that fits their access rights. Especially in the context of civil security it is very likely that there are several users with different security levels and the data displayed is potential highly sensitive. Therefore new strategies are needed to decide which content is shown when certain users with potentially completely different access rights work together. We will define those strategies by doing considerations how to realize authorization for a simultaneous collaborative multi-user workspace. This is done by extending the well-known Bell-LaPadula model for multi-user authorization by using different strategies regarding data confidentiality. The feasibility of our formal models is shown with an implementation in XACML, which is described in detail. With this it is already possible to integrate our model in real world applications, which we show with the Fraunhofer Digital Map Table.