Delegation of access rights in multi-domain service compositions

Today, it becomes more and more common to combine services from different providers into one application. Service composition is however difficult and cumbersome when there is no common trust anchor. Hence, delegation of access rights across trust domains will become essential in service composition scenarios. This article specifies abstract delegation, discusses theoretical aspects of the concept, and provides technical details of a validation implementation supporting a variety of access controls and associated delegation mechanisms. Abstract delegation allows to harmonize the management of heterogeneous access control mechanisms and to offer a unified user experience. The authors observe standardization efforts to reduce application and domain-specific delegation mechanisms, but this variety is very unlikely to completely disappear.

[1]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[2]  Laurent Bussard,et al.  An Approach to Identity Management for Service Centric Systems , 2008, ServiceWave.

[3]  Bhavani Thuraisingham,et al.  Delegation-Based Security Model for Web Services , 2007 .

[4]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[5]  Blair Dillaway,et al.  Abductive Authorization Credential Gathering , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[6]  Luigi V. Mancini,et al.  Addressing interoperability issues in access control models , 2007, ASIACCS '07.

[7]  Alfons Kemper,et al.  Consolidating the Access Control of Composite Applications and Workflows , 2006, DBSec.

[8]  Vijay Karamcheti,et al.  dRBAC: distributed role-based access control for dynamic coalition environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[9]  Antonio F. Gómez-Skarmeta,et al.  A Heterogeneous Network Access Service Based on PERMIS and SAML , 2005, EuroPKI.

[10]  Vijayalakshmi Atluri,et al.  A Distributed Coalition Service Registry for Ad-Hoc Dynamic Coalitions: A Service-Oriented Approach , 2006, DBSec.

[11]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[12]  Philip Robinson,et al.  From Business Process Choreography to Authorization Policies , 2006, DBSec.

[13]  Weider D. Yu An intelligent access control for Web services based on service oriented architecture platform , 2006, The Fourth IEEE Workshop on Software Technologies for Future Embedded and Ubiquitous Systems, and the Second International Workshop on Collaborative Computing, Integration, and Assurance (SEUS-WCCIA'06).

[14]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[15]  Antonio F. Gómez-Skarmeta,et al.  A Credential Conversion Service for SAML-based Scenarios , 2004, EuroPKI.