Hierarchical Group and Attribute-Based Access Control: Incorporating Hierarchical Groups and Delegation into Attribute-Based Access Control

Attribute-Based Access Control (ABAC) is a promising alternative to traditional models of access control (i.e. Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access control (RBAC)) that has drawn attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large-scale adoption is still in its infancy. The relatively recent popularity of ABAC still leaves a number of problems unexplored. Issues like delegation, administration, auditability, scalability, hierarchical representations, etc. have been largely ignored or left to future work. This thesis seeks to aid in the adoption of ABAC by filling in several of these gaps. The core contribution of this work is the Hierarchical Group and Attribute-Based Access Control (HGABAC) model, a novel formal model of ABAC which introduces the concept of hierarchical user and object attribute groups to ABAC. It is shown that HGABAC is capable of representing the traditional models of access control (MAC, DAC and RBAC) using this group hierarchy and that in many cases it’s use simplifies both attribute and policy administration. HGABAC serves as the basis upon which extensions are built to incorporate delegation into ABAC. Several potential strategies for introducing delegation into ABAC are proposed, categorized into families and the trade-offs of each are examined. One such strategy is formalized into a new User-to-User Attribute Delegation model, built as an extension to the HGABAC model. Attribute Delegation enables users to delegate a subset of their attributes to other users in an off-line manner (not requiring connecting to a third party). Finally, a supporting architecture for HGABAC is detailed including descriptions of services, high-level communication protocols and a new low-level attribute certificate format for exchanging user and connection attributes between independent services. Particular emphasis is placed on ensuring support for federated and distributed systems. Critical components of the architecture are implemented and evaluated with promising preliminary results. It is hoped that the contributions in this research will further the acceptance of ABAC in both academia and industry by solving the problem of delegation as well as simplifying administration and policy authoring through the introduction of hierarchical user groups

DyVOSE project: experiences in applying privilege management infrastructures

Privilege Management Infrastructures (PMI) are emerging as a necessary alternative to authorization through Access Control Lists (ACL) as the need for finer grained security on the Grid increases in numerous domains. The 2-year JISC funded DyVOSE Project has investigated applying PMIs within an e-Science education context. This has involved establishing a Grid Computing module as part of Glasgow University’s Advanced MSc degree in Computing Science. A laboratory infrastructure was built for the students realising a PMI with the PERMIS software, to protect Grid Services they created. The first year of the course centered on building a static PMI at Glasgow. The second year extended this to allow dynamic attribute delegation between Glasgow and Edinburgh to support dynamic establishment of fine grained authorization based virtual organizations across multiple institutions. This dynamic delegation was implemented using the DIS (Delegation Issuing) Web Service supplied by the University of Kent. This paper describes the experiences and lessons learned from setting up and applying the advanced Grid authorization infrastructure within the Grid Computing course, focusing primarily on the second year and the dynamic virtual organisation setup between Glasgow and Edinburgh

Exploiting Domain Knowledge in Making Delegation Decisions

@inproceedings{conf/admi/EmeleNSP11, added-at = {2011-12-19T00:00:00.000+0100}, author = {Emele, Chukwuemeka David and Norman, Timothy J. and Sensoy, Murat and Parsons, Simon}, biburl = {http://www.bibsonomy.org/bibtex/20a08b683088443f1fd36d6ef28bf6615/dblp}, booktitle = {ADMI}, crossref = {conf/admi/2011}, editor = {Cao, Longbing and Bazzan, Ana L. C. and Symeonidis, Andreas L. and Gorodetsky, Vladimir and Weiss, Gerhard and Yu, Philip S.}, ee = {http://dx.doi.org/10.1007/978-3-642-27609-5_9}, interhash = {1d7e7f8554e8bdb3d43c32e02aeabcec}, intrahash = {0a08b683088443f1fd36d6ef28bf6615}, isbn = {978-3-642-27608-8}, keywords = {dblp}, pages = {117-131}, publisher = {Springer}, series = {Lecture Notes in Computer Science}, timestamp = {2011-12-19T00:00:00.000+0100}, title = {Exploiting Domain Knowledge in Making Delegation Decisions.}, url = {http://dblp.uni-trier.de/db/conf/admi/admi2011.html#EmeleNSP11}, volume = 7103, year = 2011 }Postprin

A Case for Custom, Composable Composition Operators

Programming languages typically support a fixed set of com- position operators, with fixed semantics. This may impose limits on software designers, in case a desired operator or semantics are not supported by a language, resulting in suboptimal quality characteristics of the designed software system. We demonstrate this using the well-known State design pattern, and propose the use of a composition infrastructure that allows the designer to define custom, composable composition operators. We demonstrate how this approach improves several quality factors of the State design pattern, such as reusability and modularity, while taking a reason- able amount of effort to define the necessary pattern-related code