Designing an Authorization Service
نویسندگان
چکیده
We present the design of an authorization service which parallels existing authentication services for distributed systems. Such a service would operate on top of an authentication substrate. There are two distinct ideas underlying our design: (1) The use of a language, called generalized access control list (GACL), as a common representation of authorization requirements. (2) The use of authenticated delegation to effect authorization offloading from an end server to an authorization server. We present the syntax and semantics of GACL, and illustrate how it can be used to specify authorization requirements that cannot be easily specified by ordinary ACL. We also describe the protocols in our design. Research sponsored by NSA INFOSEC University Research Program under contract no. MDA 904-94-C-6106. Technical report TR-93-29, Department of Computer Sciences, University of Texas at Austin, October 1994 (revised).
منابع مشابه
Access control in ultra-large-scale systems using a data-centric middleware
The primary characteristic of an Ultra-Large-Scale (ULS) system is ultra-large size on any related dimension. A ULS system is generally considered as a system-of-systems with heterogeneous nodes and autonomous domains. As the size of a system-of-systems grows, and interoperability demand between sub-systems is increased, achieving more scalable and dynamic access control system becomes an im...
متن کاملDesigning a Distributed Authorization Service
We present the design of a distributed authorization service which parallels existing authentication services for distributed systems. Such a service would operate on top of an authentication substrate. There are two distinct ideas underlying our design: (1) The use of a language, called generalized access control list (GACL), as a common representation of authorization requirements. (2) The us...
متن کاملTowards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4
The OGSA definition of a Grid Service as a transient, stateful and dynamically instantiated Web Service introduced new authentication and authorization requirements beyond those already established for existing Grid environments. However such design features have begun to be developed currently following a pre-Web Services approach in two aspects: in the first place making a clear separation of...
متن کاملDelegation Issuing Service for X . 509
This paper describes the concept of a delegation issuing service (DIS), which is a service that issues X.509 attribute certificates on behalf of an attribute authority (typically a manager). The paper defines the X.509 certificate extensions that are being proposed for the 2005 edition of X.509 in order to implement the DIS concept, as well as the additional steps that a relying party will need...
متن کاملA New Collaborative Trust Enhanced Security Model For Distributed System
Designing a distributed system with the characteristics of reliability and trustworthiness is an important issue. Yet another important issue in the distributed system is the access of remote system which can be achieved on the basis of certain access rights, policies or authorization semantics. The aim of this paper is to establish a collaborative trust enhanced security model for distributed ...
متن کامل