Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
Certificate chain discovery in SPKI?SDSI
Journal of Computer Security
Distributed credential chain discovery in trust management
Journal of Computer Security
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
First experiences using XACML for access control in distributed systems
Proceedings of the 2003 ACM workshop on XML security
Authorisation Using Attributes from Multiple Authorities
WETICE '06 Proceedings of the 15th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Using XACML for privacy control in SAML-based identity federations
CMS'05 Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Modelling task delegation for human-centric eGovernment workflows
Proceedings of the 10th Annual International Conference on Digital Government Research: Social Networks: Making Connections between Citizens, Data and Government
Proceedings of the 2009 ACM workshop on Secure web services
A role-based XACML administration and delegation profile and its enforcement architecture
Proceedings of the 2009 ACM workshop on Secure web services
Recognition of authority in virtual organisations
TrustBus'07 Proceedings of the 4th international conference on Trust, Privacy and Security in Digital Business
Hi-index | 0.00 |
In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.