Authorization as a Service provided by a Generic Policy Engine
نویسندگان
چکیده
Authorization of access to resources is typically viewed as being the responsibility of the applications that access specific resources. This leads to incoherent implementation of security within an organization as the protection of a resource becomes dependent upon the path through which it is accessed. This paper proposes that authorization be provided as a service that is utilized by applications that require security. An architecture is presented that supports fine grained access control wherein policies are associated with individual resources. The requirements for, and properties of, policies are described and several examples are provided.
منابع مشابه
Analysis of Communicating Authorization Policies
We present a formal language for specifying distributed authorization policies that communicate through insecure asynchronous media. The language allows us to write declarative authorization policies; the interface between policy decisions and communication events can be specified using guards and policy updates. The attacker, who controls the communication media, is modeled as a message deduct...
متن کاملPolicy-drivenNegotiation for Authorization in the Semantic Grid
As in many Grid Services deployments the clients and servers reside in different administrative domains, there is both a requirement to discover each other’s authorization policy in order to be able to present the right assertions that allow access, as well as to reveal as little as possible of the access policy details to unauthorized parties. This paper describes a mechanism where the client ...
متن کاملA Survey on AAA Mechanisms, Protocols, and Architectures and a Policy-based Approach beyond: Ax
AAA, the Authentication, Authorization, and Accounting approach for dial-up connectivity of mobile users and devices has reached a status of maturity, however, limited to a dedicated set of minor scenarios. While the commercialization of the Internet has lead to a large variety of business models based on Internet technology, the demand for standardized and efficient solutions in support of rel...
متن کاملOntology-Based Matching of Security Attributes for Personal Data Access in e-Health
This paper discusses an interoperability solution (tool) for the internal management of a policy decision engine located at the level of the authorization layer of a service oriented environment. The tool aims to support federated access control in the context of distributed architectures, in which a local authorization policy is not able to recognize all the attributes in the authorization dec...
متن کاملA Heterogeneous Network Access Service Based on PERMIS and SAML
The expansion of inter-organizational scenarios based on different authorization schemes involves the development of integration solutions allowing different authorization domains to share, in some way, protected resources. This paper analyzes different emerging technologies. On the one hand, we have two XML-based standards, the SAML standard, which is being widely accepted as a language to exp...
متن کامل