Adding support to XACML for multi-domain user to user dynamic delegation of authority

Chadwick, David; Otenko, Sassa; Nguyễn, Tuấn Anh

doi:10.1007/s10207-008-0073-y

Cited by 17 publications

(12 citation statements)

References 13 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, role mapping researches are faced several challenges and issues such as for discovering roles and establishing the mapping of roles that lead to complex solutions. Chadwick et al [24] proposed an extension of XACML to support multi-domain user-to-user dynamic delegation of authority for delegation of role from one user to another. The solution solves the problem of delegation in multi-domain by delegating authority of user's role to another based on a graph of delegation and a hierarchical relationships of the various sets of attributes.…”

Section: Related Workmentioning

confidence: 99%

Collaborative Access Control for Multi-Domain Cloud Computing

Ayed

Teraoka

2012

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYThe Internet infrastructure is evolving with various approaches such as cloud computing. Interest in cloud computing is growing with the rise of services and applications particularly in business community. For delivering service securely, cloud computing providers are facing several security issues, including controlling access to services and ensuring privacy. Most of access control approaches tend to a centralization of policy administration and decision by introducing a mediator central third party. However, with the growth of the Internet and the increase of cloud computing providers, a centralized administration is no longer supported. In this paper, we present a new collaborative access control infrastructure for distributed cloud computing environment, supporting collaborative delegations across multiple domains in order to authorize users to access services at a visited domain that does not have a direct cooperative relationship with the user's home domain. For this purpose, we propose an extension of the XACML (eXtensible Access Control Markup Language) model with a new entity called Delegation Validation Point (DVP) to support multidomain delegation in a distributed environment. We describe the new extended model and functionalities of the new component. In addition, we define new XACML messages for acquiring delegation across domains. For exchanging delegation between domains we use SAML (Security Association Markup Language) and Diameter protocol. Two Diameter applications are defined for transporting securely multiple delegation requests and answers and for building a trusted path of cooperation to acquire the chain of delegations. We detail the implemented prototype and evaluate performance within a testbed of up to 20 domains.

show abstract

Section: Related Workmentioning

confidence: 99%

Collaborative Access Control for Multi-Domain Cloud Computing

Ayed

Teraoka

2012

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Authorisation policies are predefined in the access control framework. Significant contributions to ensure dynamic policy enforcement can be found in [9]. While much of the work is limited to role-based access control, the goal of our paper is to consider task delegation constraints in workflow systems.…”

Section: B Access Control Over Workflowsmentioning

confidence: 99%

“…At this stage, the Receiver component acts as a policy enforcement point to perform access control by making decision request and enforcing decisions. For instance, an attribute certificate is issued to the delegatee for authentication and authorisation purposes [9]. Attribute certificates will ensure integrity, protection and non-repudiation through a digital signature.…”

Section: B Architecture Requirementsmentioning

confidence: 99%

Delegation Protocols in Human-Centric Workflows

Gaaloul

Proper

Charoy

2011

2011 IEEE 13th Conference on Commerce and Enterprise Computing

View full text Add to dashboard Cite

Abstract-Organisations are facilitated and conducted using workflow management systems. Currently, we observe a tendency moving away from strict workflow modelling towards dynamic approaches supporting human interactions when deploying a workflow. One specific approach ensuring human-centric workflows is task delegation. Delegating a task may require an access to specific and potentially sensitive data that have to be secured and specified into authorisation policies. In this paper, we propose a modelling approach to secure delegation. In doing so, we define delegation protocols supporting specific constraints based on both workflow and access control systems. Moreover, we develop an advanced access control framework to integrate delegation constraints within existing policies. The novelty consists in the proactivity aspect of our framework to cope with dynamic delegation of authority in authorisation policies.

show abstract

“…A distributed RBAC/ABAC authorization infrastructure, as implemented in [9] comprises the following components: a set of distributed role/attribute issuing authorities, also known as Identity Providers (IdPs), which assign digitally signed credentials to subjects in a session, a Credential Validation Service (CVS) at the Service Provider's (SP) site, which validates the roles/attributes issued to the subject as credentials [10], and a Policy Decision Point (PDP) also at the SP's site, which evaluates if these roles/attributes give the user sufficient permission to access the requested resource. Through the use of policies, attributes and credentials, subject authorization is provided.…”

Section: A Rbac / Abac Authorizationmentioning

confidence: 99%

Self-Adaptive Authorization Framework for Policy Based RBAC/ABAC Models

Bailey

Chadwick

Lemos³

2011

2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing

Self Cite

View full text Add to dashboard Cite

Abstract-Authorization systems are an integral part of any network where resources need to be protected. They act as the gateway for providing (or denying) subjects (users) access to resources. As networks expand and organisations start to federate access to their resources, authorization infrastructures become increasingly difficult to manage. In this paper, we explore the potential of self-adaptive authorization as a means to automate the management of the access control configuration. We propose a Self-Adaptive Authorization Framework (SAAF) that is capable of managing any policy based distributed RBAC/ABAC authorization infrastructure. SAAF relies on a feedback control loop to monitor decisions (by policy decision points) of a target authorization infrastructure. These decisions are analysed to form a view of the subject's behaviour to decide whether to adapt the target authorization infrastructure. Adaptations are made in order to either endorse or restrict the identified behaviour, e.g. by loosening or tightening the current authorization policy. We demonstrate in terms of representative scenarios SAAF's ability for detecting abnormal behaviour, such as, misuse of access to system resources, proposing solutions that either prevent/endorse such behaviour, applying a cost function to each of these solutions, and executing the adaptive changes against a target authorization infrastructure.

show abstract

Adding support to XACML for multi-domain user to user dynamic delegation of authority

Cited by 17 publications

References 13 publications

Collaborative Access Control for Multi-Domain Cloud Computing

Collaborative Access Control for Multi-Domain Cloud Computing

Delegation Protocols in Human-Centric Workflows

Self-Adaptive Authorization Framework for Policy Based RBAC/ABAC Models

Contact Info

Product

Resources

About