A Capability-Based Access Control Framework with Delegation Support

This paper presents a capability- and policy-based access control framework with delegation support (CPBAC) for distributed system that provides two types of delegation: administrative delegation and user delegation. So it can provide users with two kinds of authorities: the authority to create and delegate their capabilities to other users and the authority to manage capabilities propagation using XACML-based delegation policies. This framework expresses the capability as a SAML authorization assertion and delegation of rights corresponds to distribution of a capability by passing a SAML assertion. CPBAC framework has the key features: delegation support, more fine-grained, and standard-based.

[1]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[2]  David Eyers,et al.  A capability-based access control architecture for multi-domain publish/subscribe systems , 2006, International Symposium on Applications and the Internet (SAINT'06).

[3]  Ed Dawson,et al.  Commitment Issues in Delegation Process , 2008, AISC.

[4]  Alan H. Karp,et al.  Solving the Transitive Access Problem for the Services Oriented Architecture , 2010, 2010 International Conference on Availability, Reliability and Security.

[5]  Alan H. Karp Authorization-Based Access Control for the Services Oriented Architecture , 2006, Fourth International Conference on Creating, Connecting and Collaborating through Computing (C5'06).

[6]  Manuel Gil Pérez,et al.  Advanced Policies for the Administrative Delegation in Federated Environments , 2010, 2010 Third International Conference on Dependability.

[7]  Jun Wang,et al.  Extending the security assertion markup language to support delegation for Web services and grid services , 2005, IEEE International Conference on Web Services (ICWS'05).

[8]  Geoff Skinner Cyber Security Management of Access Controls in Digital Ecosystems and Distributed Environments , 2009 .

[9]  Alan H. Karp,et al.  Access control for the services oriented architecture , 2007, SWS '07.

[10]  Domenico Rotondi,et al.  IoT Access Control Issues: A Capability Based Approach , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[11]  Dongman Lee,et al.  A capability-based privacy-preserving scheme for pervasive computing environments , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[12]  Shigeru Hosono,et al.  A delegation framework for federated identity management , 2005, DIM '05.

[13]  Dennis Gannon,et al.  XPOLA – An Extensible Capability-based Authorization Infrastructure for Grids , 2005 .