An advanced policy based authorisation infrastructure

Authors:
David W. Chadwick;Kaniz Fatema
Affiliations:
University of Kent, Canterbury, United Kingdom;University of Kent, Canterbury, United Kingdom
Venue:
Proceedings of the 5th ACM workshop on Digital identity management
Year:
2009

Citing 8
Cited 0

Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services

DEXA '03 Proceedings of the 14th International Workshop on Database and Expert Systems Applications
Achieving fine-grained access control in virtual organizations: Research Articles

Concurrency and Computation: Practice & Experience - Second International Workshop on Emerging Technologies for Next-generation GRID (ETNGRID 2005)
Overriding of Access Control in XACML

POLICY '07 Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks
Coordinating access control in grid services

Concurrency and Computation: Practice & Experience - Middleware for Grid Computing: Future Trends (MGC2006)
PERMIS: a modular authorization infrastructure

Concurrency and Computation: Practice & Experience - UK e-Science All Hands Meeting 2006
Enforcing "sticky" security policies throughout a distributed application

Proceedings of the 2008 workshop on Middleware security
Adding support to XACML for multi-domain user to user dynamic delegation of authority

International Journal of Information Security
Using WebDAV for improved certificate revocation and publication

EuroPKI'07 Proceedings of the 4th European conference on Public Key Infrastructure: theory and practice

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe a more advanced authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various authorisation decisions. Whilst this authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.