Constrained delegation

Bandmann, Olav; Dam, Mads; Firozabadi, Babak Sadighi

doi:10.1109/secpri.2002.1004367

Cited by 52 publications

(40 citation statements)

References 7 publications

(10 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This delegation policy component describes how the CVS can determine if a chain of delegated credentials and/or policies falls within a trusted tree or not. This is a rather complex policy component, and there are various ways of describing delegation trees [3,9] with no widely accepted standard way. The essential elements should specify who is allowed to be in the tree (both as an issuer and/or a subject), what constraints apply, and what properties (attributes) they can validly have (assert) and delegate.…”

Section: The Credential Validation Policymentioning

confidence: 99%

“…Another constraint that we place on a delegation tree is that the same attribute (or its subordinate) must be propagated down the tree, and new unrelated attributes cannot be introduced in the middle of a delegation tree. We recognise that a more flexible approach will be to define delegation trees by referring to the attributes of the members rather than their distinguished names, as for example is used by Bandmann et al [9]. Their delegation tree model allows a policy writer to specify delegation trees such as "anyone with a head of department attribute may delegate a project manager attribute to any member of staff in the department".…”

Section: Credential Validation Policymentioning

confidence: 99%

See 1 more Smart Citation

Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains

Chadwick

Otenko

Nguyễn

2006

Communications and Multimedia Security

View full text Add to dashboard Cite

Abstract. In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.

show abstract

Section: The Credential Validation Policymentioning

confidence: 99%

Section: Credential Validation Policymentioning

confidence: 99%

Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains

Chadwick

Otenko

Nguyễn

2006

Communications and Multimedia Security

View full text Add to dashboard Cite

show abstract

“…It is a modified version of the framework presented in Bandmann et al, 2002;Firozabadi et al, 2001, extended to include possibility-with-override. We have chosen this particular framework since it provides information about the source of authorisations.…”

Section: Extending the Privilege Calculusmentioning

confidence: 99%

“…He can also permit g to delegate the authority in several steps by appointing intermediary managers chosen from G. This allows p to let subordinates organise their own sub-organisations within G. For instance we could have p delegate to g who will delegate to g f who will in turn create the access level permission. The use of the auth*() construct is explained in more detail in Bandmann et al, 2002. Definition 6.. We define a certificate database to be a tuple V -(So A, D+, D" where SoA C $ is a finite set oiSource ofAuthority privileges, D + C E + is a finite set of declaration certificates and D~ C E~ is a finite set of revocation certificates. It is the combined contents of this certificate database that will decide which accesses are permitted.…”

Section: If S E Prin 0 G $ T E R and Id E Nmentioning

confidence: 99%

“…Cycles are not possible in Firozabadi et al, 2001, but together with the auth* form from Bandmann et al, 2002 cycles become possible unless prevented with this extra constraint. Although cycles are not a problem in principle, the authority resolution algorithm later on becomes more complicated to explain for a cyclic graph, so we make this simplification.…”

Section: Definition9 Letdid2 G D + Wheredi = Declares(si (ßItimentioning

confidence: 99%

See 1 more Smart Citation

Discretionary Overriding of Access Control in the Privilege Calculus

Rissanen

Sadighi

Sergot

Formal Aspects in Security and Trust

View full text Add to dashboard Cite

We extend a particular access control framework, the Privilege Calculus, with a possibility to override denied access for increased flexibility in hard to define or unanticipated situations. We require the overrides to be audited and approved by appropriate managers. In order to automatically find the authorities who are able to approve an override, we present an algorithm for authority resolution. We are able to calculate from the access control policy who can approve an override without the need for any additional information.

show abstract

Security Protocols

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

PrefaceGreetings. These are the proceedings of the 11th in our series of International Workshops on Security Protocols. Our theme this time was "Where have all the Protocols gone?" Once upon a time security protocols lived mainly in the network and transport layers. Now they increasingly hide in applications, or in specialised hardware. Does this trend lead to better security architectures, or is it an indication that we are addressing the wrong problems?The intention of the workshops is to provide a forum where incompletely worked out ideas can stimulate discussion, open up new lines of investigation, and suggest more problems. The position papers published here have been revised by the authors in the light of their participation in the workshop. In addition, we publish edited transcripts of some of the discussions, to give our readers access to some of the roads ahead not (yet) taken. We hope that these revised position papers and edited transcripts will give you at least one interesting idea of your own to explore. Please do write and tell us what it was.Our purpose in publishing these proceedings is to produce a conceptual map which will be of enduring interest, rather than to be merely topical. This is perhaps just as well, given the delay in production. This year we moved to new computer-based recording technology, and of course it failed completely. Fortunately various domestic recorders had been smuggled into the venue, but picking the signal bits out of the noise has taken a long time, and we have had to insert more than the usual number of epicycles to make the discussions come out right.Our thanks to Sidney Sussex College Cambridge for the use of their facilities, to Lori Klimaszewska of the University of Cambridge Computing Service for the even worse than usual task of transcribing the audio tapes (in which the reverse use of "two rings" provided a test for creative intelligence) and to Johanna Hunt at the University of Hertfordshire for helping us with the Ptolemeic editing of the results. Lent 2005

show abstract

Constrained delegation

Cited by 52 publications

References 7 publications

Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains

Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains

Discretionary Overriding of Access Control in the Privilege Calculus

Security Protocols

Contact Info

Product

Resources

About