Alexander Otenko scite author profile

¹

,

²

2002

This paper describes the output of the PERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users' roles. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 attribute certificate, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorization policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just 3 methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs attribute certificates and stores them in an LDAP directory for subsequent use by the ADF.

Role-based access control with X.509 attribute certificates

Chadwick¹,

Otenko²,

Ball³

2003

IEEE Internet Comput.

The PERMIS X.509 role based privilege management infrastructure

¹

,

²

2002

This paper describes the output of the PERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users' roles. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 attribute certificate, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorization policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just 3 methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs attribute certificates and stores them in an LDAP directory for subsequent use by the ADF.

Rbac Policies in XML for X.509 Based Privilege Management

¹

,

²

2002

Abstract:This paper describes a role based access control policy template for use by privilege management infrastructures where the roles are stored as X.509 Attribute Certificates in an LDAP directory. There is a brief description of the X.509 privilege management model, and how it can be used to implement RBAC. Policies that conform to the template are written in XML, and the template is specified as a DTD. (A future version will specify it as an XML schema). The policy is designed to be used by the PERMIS API, a Java specification for an Access Control Decision Function based on the ISO 10181 Access Control Framework and the Open Group's AZN API.

GridShib and PERMIS integration

¹

,

Novikov

²

,

³

2006

This paper describes the results of our recent GridShibPERMIS project to provide policy-driven role-based access control decision making to Grid jobs, in which the user's attributes are provided by a Shibboleth Identity Provider (IdP). The goal of the project is to integrate the identity-federation and attribute-assignment functions of Shibboleth with the policy-based enforcement function of PERMIS, in order to provide a flexible fine-grained authorisation system for Grid jobs running under Globus Toolkit v4. This was done by taking the GT4-Shibboleth integration performed in the United States with the PERMIS infrastructure built in the United Kingdom, and developing a GridShibPERMIS Context Handler. This allows for interoperability between GridShib and PERMIS by providing the required attribute extraction, conversion and transfer functions. As a result, the GridShibPERMIS project integrates the advantages of both Shibboleth cross-organisation identity federation and PERMIS policy-driven role-based access control and represents a new avenue of policy-based authorisation for Grids. The paper provides a brief overview of the technologies involved: GT4, Shibboleth and PERMIS, and presents how the three are combined to provide an efficient and simple fine-grained authorisation mechanism, having low implementation costs. The paper concludes with the lessons learned and plans for the future.

The PERMIS X.509 role based privilege management infrastructure

¹

,

Future Generation Computer Systems

²

2003

This paper describes the output of the PERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users' roles. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 attribute certificate, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorization policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just 3 methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs attribute certificates and stores them in an LDAP directory for subsequent use by the ADF.