Abstract
Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rulebased language for specifying and enforcing policies on RDM2000 is proposed.We describe a proof of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.
Original language | English (US) |
---|---|
Pages (from-to) | 404-441 |
Number of pages | 38 |
Journal | ACM Transactions on Information and System Security |
Volume | 6 |
Issue number | 3 |
DOIs | |
State | Published - Aug 1 2003 |
Externally published | Yes |
Keywords
- Management
- Role
- Security
- access control
- delegation
- revocation
- rule-based
ASJC Scopus subject areas
- General Computer Science
- Safety, Risk, Reliability and Quality