Flexible Resolution of Authorisation Conflicts in Distributed Systems
نویسندگان
چکیده
Managing security in distributed systems requires flexible and expressive authorisation models with support for conflict resolution. Models need to be hierarchical but also non-monotonic supporting both positive and negative authorisations. In this paper, we present an approach to resolve the authorisation conflicts that inevitably occur in such models, with administrator specified conflict resolution strategies (rules). Strategies can be global or applied to specific parts of a system and dynamically loaded for different applications. We use Courteous Logic Programs (CLP) for the specification and enforcement of strategies. Authorisation policies are translated into labelled rules in CLP and prioritised. The prioritisation is regulated by simple override rules specified or selected by administrators. We demonstrate the capabilities of the approach by expressing the conflict resolution strategy for a moderately complex authorisation model that organises subjects and objects
منابع مشابه
A method for access authorisation through delegation networks
Owners of systems and resources usually want to control who can access them. This must be based on having a process for authorising certain parties, combined with mechanisms for enforcing that only authorised parties are actually able to access those systems and resources. In distributed systems, the authorisation process can include negative authorisation (e.g. black listing), and delegation o...
متن کاملResolving Policy Conflicts - Integrating Policies from Multiple Authors
In this paper we show that the static conflict resolution strategy of XACML is not always sufficient to satisfy the policy needs of an organisation where multiple parties provide their own individual policies. Different conflict resolution strategies are often required for different situations. Thus combining one or more sets of policies into a single XACML ‘super policy’ that is evaluated by a...
متن کاملSpecification of Authorisation Services
This document describes MAFTIA authorisation services and how they will be implemented in the MAFTIA architecture. The authorisation services implement a fine grain protection, i.e., capable of protecting each object method invocation, in order to satisfy as much as possible the least privilege principle and to obtain the best protection efficacy. The authorisation schemes are flexible and rich...
متن کاملConflict Analysis for Management Policies
Policies are a means of influencing management behaviour within a distributed system, without coding the behaviour into the managers. Authorisation policies specify what activities a manager is permitted or forbidden to do to a set of target objects and obligation policies specify what activities a manager must or must not do to a set of target objects. Conflicts can arise in the set of policie...
متن کاملUsing game theory approach to interpret stable policies for Iran’s oil and gas common resources conflicts with Iraq and Qatar
Oil and gas as the non-renewable resources are considered very valuable for the countries with petroleum economics. These resources are not only diffused equally around the world, but also they are common in some places which their neighbors often come into conflicts. Consequently, it is vital for those countries to manage their resource utilization. Lately, game theory was applied in conflict ...
متن کامل