Authorization in enterprise-wide distributed system: a practical design and application

As companies migrate from a centralized to a distributed computing environment, the administration and management of security policies, in particular authorization policies, is becoming an increasingly difficult task. The paper considers the design of an authorization system that is suitable for distributed applications. It discusses the architectural design principles, describes the constructs of the authorization policy language and outlines the authorization service and components involved. The paper gives some example policy specifications and illustrates how privileges are specified and evaluated, as well as how privilege resolutions are achieved.

[1]  Simon S. Lam,et al.  Authorization in distributed systems: a formal approach , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  Vijay Varadharajan,et al.  Support for joint action based security policies , 1996, ACISP.

[4]  Michael J. Nash,et al.  Some conundrums concerning separation of duty , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Vijay Varadharajan,et al.  A logic for state transformations in authorization policies , 1997, Proceedings 10th Computer Security Foundations Workshop.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[8]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .