Cardea: Dynamic Access Control in Distributed Systems

Modern authorization systems span domains of administration, rely on many different authentication sources, and manage complex attributes as part of the authorization process. This . paper presents Cardea, a distributed system that facilitates dynamic access control, as a valuable piece of an inter-operable authorization framework. First, the authorization model employed in Cardea and its functionality goals are examined. Next, critical features of the system architecture and its handling of the authorization process are then examined. Then the S A M L and XACML standards, as incorporated into the system, are analyzed. Finally, the future directions of this project are outlined and connection points with general components of an authorization system are highlighted.

[1]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[2]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[3]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[4]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[5]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[6]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language Version 1.0 Part 1: Syntax , 1997 .

[7]  William E. Johnston,et al.  Authorization and attribute certificates for widely distributed access control , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[8]  Dennis G. Kafura,et al.  Supporting Secure Ad-hoc User Collaboration in Grid Environments , 2002, GRID.

[9]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[10]  Norbert Meyer,et al.  Simplifying Administration and Management Processes in the Polish National Cluster , 2001 .

[11]  Punya Mishra,et al.  Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) v1. 1 , 2003 .

[12]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[13]  Andrew S. Grimshaw,et al.  Accountability and Control of Process Creation in Metasystems , 2000, NDSS.

[14]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[15]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[16]  Ian T. Foster,et al.  Grid Services for Distributed System Integration , 2002, Computer.