Access control and trust in the use of widely distributed services

OASIS is a role-based access control architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralised, roles are parametrised, and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment. Services define roles and establish formally specified policy for role activation and service use; users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false. Instead of privilege delegation OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long lived credentials such as academic and professional qualification or membership of an organisation. The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains, and discuss how it can be used in a global environment where roving principals, in possession of appointment certificates, encounter and wish to use services. We propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each other's credentials. We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust.

[1]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[2]  Sylvia L. Osborn,et al.  Access Rights Administration in Role-Based Security Systems , 1994, DBSec.

[3]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[4]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  Jean Bacon,et al.  Generic Support for Distributed Applications , 2000, Computer.

[7]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[8]  Jean Bacon,et al.  Access control in an open distributed environment , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[9]  Adrian Baldwin,et al.  Towards a more complete model of role , 1998, RBAC '98.

[10]  Jean Bacon,et al.  An Architecture for Distributed OASIS Services , 2000, Middleware.

[11]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[12]  Mustaque Ahamad,et al.  Generalized Role-Based Access Control for Securing Future Applications , 2000 .

[13]  Emil C. Lupu,et al.  The uses of role hierarchies in access control , 1999, RBAC '99.

[14]  Jean Bacon,et al.  Translating Role-Based Access Control Policy within Context , 2001, POLICY.

[15]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[16]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.

[17]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.