Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role-based authorization infrastructure along with its conceptual authorization, access control, and trust models. PERMIS has the novel concept of a credential validation service, which verifies a user's credentials prior to access control decision-making and enables the distributed management of credentials. PERMIS also supports delegation of authority; thus, credentials can be delegated between users, further decentralizing credential management. Finally, PERMIS supports history-based decision-making, which can be used to enforce such aspects as separation of duties and cumulative use of resources. Details of the design and the implementation of PERMIS are presented along with details of its integration with Globus Toolkit, Shibboleth, and GridShib. A comparison of PERMIS with other authorization and access control implementations is given, along with suggestions where future research and development are still needed.They provide facilities to manage user privileges, render access control decisions, and process the related information. Different types of policies may be supported, such as credential issuing policies, access control policies, delegation policies, and credential validation policies. These policies contain the rules and criteria that specify how user privileges (or credentials, which are digitally signed assertions made by some authority about a user's privileges) are managed and access control decisions are made. In the context of distributed Grid systems spanning multiple domains, policybased authorization systems bring a number of specific advantages such as: they can control the issuing of credentials in one domain and allow the autonomous delegation of privileges between users. They can then separately control the validation of these credentials in the resource domain, and allow each resource owner to independently say who he/she trusts to issue which credentials to whom, and which access rights these valid credentials should have. This is an important feature that most Grid systems today do not have.The authorization infrastructure that we have built is called PERMIS [1]. This paper describes the various components of the PERMIS authorization infrastructure, the conceptual models that lie behind them, and the standards that we have used. We conclude by comparing our work with that of others and by describing some of the future work that still needs to be done. The rest of this paper is structured as follows. Section 2 provides the conceptual models of our authorization infrastructure. Section 3 describes the design and implementation of PERMIS. Section 4 presents PERMIS's integration with Globus Toolkit (GT), Shibboleth, and GridShib. Section 5 compares PERMIS with other related research. Section 6 concludes and indicates our plans for the future. CONCEPTUAL MODELS The access control...
Abstract. In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.
An access control policy writing tool for the PERMIS role-based privileges management infrastructure was iteratively developed employing usability principles and techniques. Expert and intermediate users' efficiency in policy creation was improved. Three novice users took part in a usability trial with the first prototype, attempting to recreate a simple policy in 15 minutes that had been specified in plain English. The participants had not properly understood the labelling of buttons or fields in the interface, and so experienced difficulty in breaking down the policy into components and identifying parts of the application to put them in. The non-specialists found it challenging to express access policy effectively because their concept of it did not match what was presented to them on screen. Bubble help and alert boxes were expanded and made more prescriptive to guide their actions without impacting expert users' efficiency. Conceptual design techniques were used to revise the labels based on potential users' descriptions of RBAC. A questionnaire study showed improved label intuitiveness (t=6.28, df=7, p=.000 two tailed): e-Scientists and developers were better able to describe access policy components from labels, and match labels with components. This project has successfully developed an access control tool to improve security specialists' productivity and improve the wider e-Science community's access to a flexible security infrastructure.
Abstract:Role based access control has been widely used in security critical systems.
Tuan Anh Nguyen has a Master of Electronics andTelecommunications degree from the Hanoi University of Technology, Vietnam. He is studying for a PhD in dynamic delegation of authority at the University of Kent, under the supervision of Professor Chadwick.Abstract. We describe adding support for dynamic delegation of authority between users in multiple administrative domains, to the XACML model for authorisation decision making. Delegation of authority is enacted via the issuing of credentials from one user to another, and follows the role based access control model. We present the problems and requirements that such a delegation model demands, the policy elements that are necessary to control the delegation chains and a description of the architected solution. We propose a new conceptual entity called the Credential Validation Service (CVS) to work alongside the XACML PDP. We describe our implementation of the CVS and present performance measurements for validating delegated chains of credentials.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.