Skip to main content
Article thumbnail
Location of Repository

Advanced Security for Virtual Organizations: The Pros and Cons of Centralized vs Decentralized Security Models

By Richard O. Sinnott, David W. Chadwick, T. Doherty, D. Martin, A.J. Stell, G. Stewart, Linying Su and J. Watt


Grids allow for collaborative e-Research to be undertaken, often across institutional and national boundaries. Typically this is through the establishment of virtual organizations (VOs) where policies on access and usage of resources across partner sites are defined and subsequently enforced. For many VOs, these agreements have been lightweight and erred on the side of flexibility with minimal constraints on the kinds of jobs a user is allowed to run or the amount of resources that can be consumed. For many new domains such as e-Health, such flexibility is simply not tenable. Instead, precise definitions of what jobs can be run, and what data can be accessed by who need to be defined and enforced by sites. The role based access control model (RBAC) provides a well researched paradigm for controlling access to large scale dynamic VOs. However, the standard RBAC model assumes a single domain with centralised role management. When RBAC is applied to VOs, it does not specify how or where roles should be defined or made known to the distributed resource sites (who are always deemed to be autonomous to make access control decisions). Two main possibilities exist based on either a centralized or decentralized approach to VO role management. We present the advantages and disadvantages of the centralized and decentralized role models and describe how we have implemented them in a range of security focused e-Research domains at the National e-Science Centre (NeSC) at the University of Glasgow

Topics: QA76
Publisher: Institute of Electrical and Electronics Engineers
Year: 2008
OAI identifier:

Suggested articles


  1. (2003). al Role-based Access Control with X.509 Attribute Certificates, doi
  2. ANSI Information technology - Role Based Access Control,
  3. (1367). Attribute Based Access Control for Grid Computing, doi
  4. (2005). Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange,
  5. (2007). et al - Security oriented e-Infrastructures supporting neurological research and clinical trials, doi
  6. (2005). Experiences in Teaching Grid Computing to Advanced Level Students, doi
  7. (2005). Experiences of Applying Advanced Grid Authorisation Infrastructures, doi
  8. (2004). Experiences of Using the GGF SAML AuthZ Interface,
  9. (2007). Federated Authentication and Authorisation for eScience, doi
  10. (2004). Grid Services Supporting the Usage of Secure Federated,
  11. Local Centre Authorization System,
  12. (2005). OASIS eXtensible Access Control Markup Language (XACML) Version 2.0, doi
  13. (2001). Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructures,
  14. (2006). S t e l l , e t a l – Secure, doi
  15. (2007). ShibGrid: Shibboleth Access for the UK National Grid Service, doi
  16. (2006). Supporting Decentralized, Security focused Dynamic Virtual Organizations across the Grid, 2 nd doi
  17. (2006). Supporting Decentralized, Security focused Dynamic Virtual Organizations across the Grid, 2nd doi
  18. (2006). Supporting the Clinical Trial Recruitment Process through the Grid, UK e-Science All Hands conference,
  19. (2001). The Anatomy of the Grid: Enabling Scalable Virtual Organizations, doi
  20. VOMS: an authorization system for virtual organizations, 1 st European across Grids conference, Santiago de Compostela.
  21. VOMS: an authorization system for virtual organizations, 1st European across Grids conference, Santiago de Compostela.

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.