A Rule-Based Framework for Role-Based Delegation and Revocation

Longhua Zhang, Gail Joon Ahn, Bei Tseng Chu

Research output: Contribution to journalArticle

161 Scopus citations

Abstract

Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rulebased language for specifying and enforcing policies on RDM2000 is proposed.We describe a proof of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.

Original languageEnglish (US)
Pages (from-to)404-441
Number of pages38
JournalACM Transactions on Information and System Security
Volume6
Issue number3
DOIs
StatePublished - Aug 1 2003

Keywords

  • Management
  • Role
  • Security
  • access control
  • delegation
  • revocation
  • rule-based

ASJC Scopus subject areas

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'A Rule-Based Framework for Role-Based Delegation and Revocation'. Together they form a unique fingerprint.

  • Cite this