Flexible Resolution of Authorisation Conflicts in Distributed Systems

Authors:
Changyu Dong;Giovanni Russello;Naranker Dulay
Affiliations:
Department of Computing, Imperial College London, London, UK SW7 2AZ;Department of Computing, Imperial College London, London, UK SW7 2AZ;Department of Computing, Imperial College London, London, UK SW7 2AZ
Venue:
DSOM '08 Proceedings of the 19th IFIP/IEEE international workshop on Distributed Systems: Operations and Management: Managing Large-Scale Service Deployment
Year:
2008

Citing 12
Cited 0

Integrating security in a large distributed system

ACM Transactions on Computer Systems (TOCS)
The SeaView Security Model

IEEE Transactions on Software Engineering
Authorizations in relational database management systems

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
A flexible authorization mechanism for relational data management systems

ACM Transactions on Information Systems (TOIS)
Conflicts in Policy-Based Distributed Systems Management

IEEE Transactions on Software Engineering
Flexible support for multiple access control policies

ACM Transactions on Database Systems (TODS)
The Ponder Policy Specification Language

POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
A stratification-based approach for handling conflicts in access control

Proceedings of the eighth ACM symposium on Access control models and technologies
Authorization in Distributed Systems: A Formal Approach

SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Policy-Based Network Management: Solutions for the Next Generation (The Morgan Kaufmann Series in Networking)

Policy-Based Network Management: Solutions for the Next Generation (The Morgan Kaufmann Series in Networking)
Authorisation and Conflict Resolution for Hierarchical Domains

POLICY '07 Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks
A cautionary note about policy conflict resolution

MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Managing security in distributed systems requires flexible and expressive authorisation models with support for conflict resolution. Models need to be hierarchical but also non-monotonic supporting both positive and negative authorisations. In this paper, we present an approach to resolve the authorisation conflicts that inevitably occur in such models, with administrator specified conflict resolution strategies (rules). Strategies can be global or applied to specific parts of a system and dynamically loaded for different applications. We use Courteous Logic Programs (CLP) for the specification and enforcement of strategies. Authorisation policies are translated into labelled rules in CLP and prioritised. The prioritisation is regulated by simple override rules specified or selected by administrators. We demonstrate the capabilities of the approach by expressing the conflict resolution strategy for a moderately complex authorisation model that organises subjects and objects hierarchically.