Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications

The paper summarises the recent and on-going developments and discussions in the Grid security community to built interoperable and scalable AuthZ infrastructure for distributed applications. The paper provides a short overview of the XACML policy format and policy obligations definition in the XACML specification. The paper analyses the basic use cases for obligations in computer Grids and on-demand network resource provisioning abstracted to the general complex resource provisioning (CRP) model to identify major requirements and functionalities in obligations handling that further is proposed as a Reference Model for Obligations Handling (OHRM). The paper refers to ongoing implementations of the obligations interoperability and handling framework in such project as EU funded projects EGEE and Phosphorus. The proposed implementation is based on the adoption and extension of the OASIS SAML2.0 profile of XACML specification but defining a number of missing interface definitions and semantic conventions. The purpose of this paper is to facilitate wider discussion of the policy obligations concept based on the described ongoing implementations.