A Policy Language for Integrating Heterogeneous Authorization Policies

In order to manage and enforce multiple heterogeneous authorization policies in distributed authorization environment, we defined the root policy specification language and its corresponding enforcing mechanism. In a root policy, the involved users and resources can be defined in coarse or finegrained. Each involved authorization policy’s storage, trust management and enforcement can be defined independently. These authorization policies can be enforced in distributed way. Policy schemas, policy subschemas and policy hierarchies can deal with complex authorization scenarios. The context constraint component makes the root policy is a context-aware authorization system. On the other hand multiple root policies can cooperate together to complete more complicated authorization tasks.

[1]  Serguei Leontiev,et al.  Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 2006, RFC.

[2]  Elisa Bertino,et al.  A flexible authorization mechanism for relational data management systems , 1999, TOIS.

[3]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[4]  Joan Feigenbaum,et al.  A logic-based knowledge representation for authorization with delegation , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[5]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[6]  D. Richard Kuhn,et al.  Composing and combining policies under the policy machine , 2005, SACMAT '05.

[7]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[8]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[9]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[10]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[11]  Dennis G. Kafura,et al.  The PRIMA system for privilege management, authorization and enforcement in grid environments , 2003, Proceedings. First Latin American Web Congress.

[12]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[13]  Elisa Bertino,et al.  XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! , 2006, SACMAT '06.

[14]  Rebekah Lepro,et al.  Cardea: Dynamic Access Control in Distributed Systems , 2004 .

[15]  Hussein Zedan,et al.  A compositional framework for access control policies enforcement , 2003, FMSE '03.

[16]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[17]  Ákos Frohner,et al.  From gridmap-file to VOMS: managing authorization in a Grid environment , 2005, Future Gener. Comput. Syst..

[18]  David W. Chadwick,et al.  RBAC Policies in XML for X.509 Based Privilege Management , 2002, SEC.

[19]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[20]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.