A Rule-Based Framework for Role-Based Delegation and Revocation

Longhua Zhang, Gail-Joon Ahn, Bei Tseng Chu

Research output: Contribution to journalArticle

159 Citations (Scopus)

Abstract

Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rulebased language for specifying and enforcing policies on RDM2000 is proposed.We describe a proof of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.

Original languageEnglish (US)
Pages (from-to)404-441
Number of pages38
JournalACM Transactions on Information and System Security
Volume6
Issue number3
DOIs
StatePublished - Aug 1 2003
Externally publishedYes

Fingerprint

Law enforcement

Keywords

  • access control
  • delegation
  • Management
  • revocation
  • Role
  • rule-based
  • Security

ASJC Scopus subject areas

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality

Cite this

A Rule-Based Framework for Role-Based Delegation and Revocation. / Zhang, Longhua; Ahn, Gail-Joon; Chu, Bei Tseng.

In: ACM Transactions on Information and System Security, Vol. 6, No. 3, 01.08.2003, p. 404-441.

Research output: Contribution to journalArticle

@article{6a24dc652ba7419fbd50179417ddfe3e,
title = "A Rule-Based Framework for Role-Based Delegation and Revocation",
abstract = "Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rulebased language for specifying and enforcing policies on RDM2000 is proposed.We describe a proof of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.",
keywords = "access control, delegation, Management, revocation, Role, rule-based, Security",
author = "Longhua Zhang and Gail-Joon Ahn and Chu, {Bei Tseng}",
year = "2003",
month = "8",
day = "1",
doi = "10.1145/937527.937530",
language = "English (US)",
volume = "6",
pages = "404--441",
journal = "ACM Transactions on Information and System Security",
issn = "1094-9224",
publisher = "Association for Computing Machinery (ACM)",
number = "3",

}

TY - JOUR

T1 - A Rule-Based Framework for Role-Based Delegation and Revocation

AU - Zhang, Longhua

AU - Ahn, Gail-Joon

AU - Chu, Bei Tseng

PY - 2003/8/1

Y1 - 2003/8/1

N2 - Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rulebased language for specifying and enforcing policies on RDM2000 is proposed.We describe a proof of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.

AB - Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rulebased language for specifying and enforcing policies on RDM2000 is proposed.We describe a proof of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.

KW - access control

KW - delegation

KW - Management

KW - revocation

KW - Role

KW - rule-based

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=3042684910&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=3042684910&partnerID=8YFLogxK

U2 - 10.1145/937527.937530

DO - 10.1145/937527.937530

M3 - Article

VL - 6

SP - 404

EP - 441

JO - ACM Transactions on Information and System Security

JF - ACM Transactions on Information and System Security

SN - 1094-9224

IS - 3

ER -