Skip to main content
Article thumbnail
Location of Repository

The PERMIS X.509 Role Based Privilege Management Infrastructure

By David W. Chadwick and Alexander Otenko

Abstract

This paper describes the output of the PERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users roles. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 attribute certificate, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorization policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just 3 methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs attribute certificates and stores them in an LDAP directory for subsequent use by the ADF

Topics: QA76
Year: 2002
OAI identifier: oai:kar.kent.ac.uk:13778

Suggested articles

Citations

  1. (2000). A Wiley Tech Brief”,
  2. (1994). Access controls, principles and practice”. doi
  3. (1995). ISO/IEC 10181-3:1996 “Security Frameworks for open systems: Access control framework
  4. (2000). ISO/IEC 9594-8 The Directory: Authentication Framework
  5. (2001). Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure”.
  6. (2002). RBAC Policies in XML for X.509 Based Privilege Management” to be presented at SEC doi
  7. (1996). Role Based Access Control Models”. doi
  8. (1999). The KeyNote Trust-Management System Version 2”, RFC 2704,
  9. (2000). The Open Group. “Authorization (AZN) API”,
  10. (2001). The Ponder Policy Specification Language”, doi
  11. (1999). Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations”. Macmillan Technical Publishing,

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.