| 1. |
- Alqatawna, Ja´far, et al.
(author)
-
Overriding of Access Control in XACML
- 2007. - 1
-
In: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks.
-
Conference paper (peer-reviewed)abstract
- Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the eXtensible Access Control Markup Language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.
|
|
| 2. |
- Bandmann, Olav, et al.
(author)
-
Constrained delegation
- 2002. - 1
-
In: Proceedings of IEEE Symposium on Security and Privacy.
-
Conference paper (peer-reviewed)abstract
- Sometimes it is useful to be able to separate between the management of a set of resources, and the access to the resources themselves. Current accounts of delegation do not allow such distinctions to be easily made, however. We introduce a new model for delegation to address this issue. The approach is based on the idea of controlling the possible shapes of delegation chains. We use constraints to restrict the capabilities at each step of delegation. Constraints may reflect e.g. group memberships, timing constraints, or dependencies on external data. Regular expressions are used to describe chained constraints. We present a number of example delegation structures, based on a scenario of collaborating organisations.
|
|
| 3. |
- Dam, Mads, et al.
(author)
-
A research agenda for distributed policy-based management
- 2002. - 2
-
In: Proceedings of RVK'02, Radiovetenskap och Kommunikation.
-
Conference paper (peer-reviewed)abstract
- Policy-based management is based on defining a set of global rules, according to which a network or distributed system must operate. In the last few years, policy-based management has begun to emerge as the dominant paradigm for developing network and systems management functions, primarily, since it can reduce complexity in management applications. Although attempts are underway to standardize policy-based management, significant research challenges remain. At KTH and SICS, a joint activity has been started to focus on some of the key issues. The paper outlines the research agenda for this activity.
|
|
| 4. |
|
|
| 5. |
|
|
| 6. |
|
|
| 7. |
|
|
| 8. |
- Sadighi, Babak, et al.
(author)
-
Contractual access control
- 2002. - 1
-
Conference paper (peer-reviewed)abstract
- In this position paper we discuss the issue of enforcing access policies in distributed environments where there is no central system designer/administrator, and consequently no guarantee that policies will be properly implemented by all components of the system. We argue that existing access control models, which are based on the concepts of permission and prohibition, need to be extended with the concept of entitlement. Entitlement to access a resource means not only that the access is permitted but also that the controller of the resource is obliged to grant the access when it is requested. An obligation to grant the access however does not guarantee that it will be granted: agents are capable of violating their obligations. In the proposed approach we discuss a Community Regulation Server that not only reasons about access permissions and obligations, but also updates the normative state of a community according to the contractual performance of its interacting agents.
|
|
| 9. |
- Sadighi, Babak
(author)
-
Decentralised Privilege Management for Access Control
- 2005. - 2
-
Doctoral thesis (other academic/artistic)abstract
- The Internet and the more recent technologies such as web services, grid computing, utility computing and peer-to-peer computing have created possibilities for very dynamic collaborations and business transactions where information and computational resources may be accessed and shared among autonomous and administratively independent organisations. In these types of collaborations, there is no single authority who can define access policies for all the shared resources. More sophisticated mechanisms are needed to enable flexible administration and enforcement of access policies. The challenge is to develop mechanisms that preserve a high level of control on the administration and the enforcement of policies, whilst supporting the required administrative flexibility. We introduce two new frameworks to address this issue. In the first part of the thesis we develop a formal framework and an associated calculus for delegation of administrative authority, within and across organisational boundaries, with possibilities to define various restrictions on their propagation and revocation. The extended version of the framework allows reasoning with named groups of users, objects, and actions, and a specific subsumes relation between these groups. We also extend current discretionary access control models with the concept of ability, as a way of specifying when a user is able to perform an action even though not permitted to do so. This feature allows us to model detective access control (unauthorised accesses are logged for post-validation resulting in recovery and/or punitive actions) in addition to traditional preventative access control (providing mechanisms that guarantee no unauthorised access can take place). Detective access control is useful when prevention is either physically or economically impossible, or simply undesirable for one reason or another. In the second part of the thesis, we develop a formal framework for contractualbased access control to shared resources among independent organisations. We introduce the notion of entitlement in the context of access control models as an access permission supported by an obligation agreed in a contract between the access requester and the resource provider. The framework allows us to represent the obligations in a contract in structured way and to reason about their fulfilments and violations.
|
|
| 10. |
- Sadighi, Babak, et al.
(author)
-
Decentraliserad rättighetshantering
- 2003. - 1
-
Conference paper (peer-reviewed)abstract
- With the development of modern computer networks, a new advanced channel for communication emerges. The future Swedish defence will use multiple systems connected with high-speed networks for information sharing. Within this environment, the issue of administration of authorisation is crucial. SaabTech Systems and SICS have in collaboration developed a model and a prototype for decentralised administration of authorisations. The model is based on delegation of authorisations extended with a component to define constraints on delegations. This enables efficient decentralised administration that reflects the management structure of an organization in a natural way, at the same time as it maintains centralised control on the distribution of authorisations. All authorisations must fulfil constraints defined by their sources of authority. The source of authority may, for instance, define in advance how a certain authorisation can be distributed and used, in terms of whom and when it can be delegated. The model supports several schemes for revocation of authorization.
|
|
