lightweight decentralized authorization model for inter-domain collaborations

Inter-domain collaborations comprise of a series of tasks, whose run-time environment stretches over heterogeneous systems governed by different set of policies and where participating organizations desire to preserve control over their resources. One of the major security challenges in modeling those inter-domain collaborations is providing a decentralized authorization solution. At the core of this challenge lie two problems: 1) an authorization decision maker does not know who a principal is and 2) which set of privileges this principal owns if the principal is originated from outside of the decision maker's domain. Currently, a number of different approaches tackle this problem and claim to provide a full-fledged solution. These approaches, however, often require particular use of infrastructures and their own policy languages. In this paper, we propose a lightweight model using the concept of distributed roles from the dRBAC model to bridge different domain boundaries. Based on e-Government collaboration scenarios, we identify a set of requirements of decentralized authorization and propose an extension to the current XACML specification as a realization of our model.

[1]  James B. D. Joshi,et al.  An RBAC framework for time constrained secure interoperation in multi-domain environments , 2005, 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems.

[2]  Gail-Joon Ahn,et al.  Role-based access management for ad-hoc collaborative sharing , 2006, SACMAT '06.

[3]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  David M. Eyers,et al.  Policy contexts: controlling information flow in parameterised RBAC , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[5]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[6]  Leon Gommans,et al.  Domain Based Access Control Model for Distributed Collaborative Applications , 2006, 2006 Second IEEE International Conference on e-Science and Grid Computing (e-Science'06).

[7]  Rolf Oppliger,et al.  Authentication and authorization infrastructures (AAIs): a comparative survey , 2004, Comput. Secur..

[8]  Ninghui Li,et al.  RTML: A Role-based Trust-management Markup Language , 2002 .

[9]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[10]  Carl M. Ellison,et al.  SPKI Requirements , 1999, RFC.

[11]  Ken Moody,et al.  Meta-policies for distributed role-based access control systems , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Joon S. Park,et al.  A composite rbac approach for large, complex organizations , 2004, SACMAT '04.

[14]  Steve Woodhead,et al.  Constraint-Enabled Distributed RBAC for Subscription-Based Remote Network Services , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[15]  T. Clark Organisational Interoperability Maturity Model for C 2 , 1999 .

[16]  Vijay Karamcheti,et al.  dRBAC: distributed role-based access control for dynamic coalition environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[17]  Elisa Bertino,et al.  Access-control language for multidomain environments , 2004, IEEE Internet Computing.