The PERMIS X.509 Based Privilege Management Infrastructure

This document describes the PERMIS X.509 Based Privilege Management Infrastructure, which is a trust management system as described in RFC 2704 [2]. The PERMIS Infrastructure is compared with the AAA Authorisation Framework described in RFC 2904 [4], and is shown to be compatible with it

DyVOSE project: experiences in applying privilege management infrastructures

Privilege Management Infrastructures (PMI) are emerging as a necessary alternative to authorization through Access Control Lists (ACL) as the need for finer grained security on the Grid increases in numerous domains. The 2-year JISC funded DyVOSE Project has investigated applying PMIs within an e-Science education context. This has involved establishing a Grid Computing module as part of Glasgow University’s Advanced MSc degree in Computing Science. A laboratory infrastructure was built for the students realising a PMI with the PERMIS software, to protect Grid Services they created. The first year of the course centered on building a static PMI at Glasgow. The second year extended this to allow dynamic attribute delegation between Glasgow and Edinburgh to support dynamic establishment of fine grained authorization based virtual organizations across multiple institutions. This dynamic delegation was implemented using the DIS (Delegation Issuing) Web Service supplied by the University of Kent. This paper describes the experiences and lessons learned from setting up and applying the advanced Grid authorization infrastructure within the Grid Computing course, focusing primarily on the second year and the dynamic virtual organisation setup between Glasgow and Edinburgh

Refinement for Administrative Policies

Flexibility of management is an important requisite for access control systems as it allows users to adapt the access control system in accordance with practical requirements. This paper builds on earlier work where we defined administrative policies for a general class of RBAC models. We present a formal definition of administrative refinnement and we show that there is an ordering for administrative privileges which yields administrative refinements of policies. We argue (by giving an example) that this privilege ordering can be very useful in practice, and we prove that the privilege ordering is tractable

A Shibboleth-protected privilege management infrastructure for e-science education

Simplifying access to and usage of large scale compute resources via the grid is of critical importance to encourage the uptake of e-research. Security is one aspect that needs to be made as simple as possible for end users. The ESP-Grid and DyVOSE projects at the National e-Science Centre (NeSC) at the University of Glasgow are investigating security technologies which will make the end-user experience of using the grid easier and more secure. In this paper, we outline how simplified (from the user experience) authentication and authorization of users are achieved through single usernames and passwords at users' home institutions. This infrastructure, which will be applied in the second year of the grid computing module part of the advanced MSc in Computing Science at the University of Glasgow, combines grid portal technology, the Internet2 Shibboleth Federated Access Control infrastructure, and the PERMS role-based access control technology. Through this infrastructure inter-institutional teaching can be supported where secure access to federated resources is made possible between sites. A key aspect of the work we describe here is the ability to support dynamic delegation of authority whereby local/remote administrators are able to dynamically assign meaningful privileges to remote/local users respectively in a trusted manner thus allowing for the dynamic establishment of virtual organizations with fine grained security at their heart

Enabling the Autonomic Management of Federated Identity Providers

The autonomic management of federated authorization infrastructures (federations) is seen as a means for improving the monitoring and use of a service provider’s resources. However, federations are comprised of independent management domains with varying scopes of control and data ownership. The focus of this paper is on the autonomic management of federated identity providers by service providers located in other domains, when the identity providers have been diagnosed as the source of abuse. In particular, we describe how an autonomic controller, external to the domain of the identity provider, exercises control over the issuing of privilege attributes. The paper presents a conceptual design and implementation of an effector for an identity provider that is capable of enabling cross-domain autonomic management. The implementation of an effector for a SimpleSAMLphp identity provider is evaluated by demonstrating how an autonomic controller, together with the effector, is capable of responding to malicious abuse

Vulnerable GPU Memory Management: Towards Recovering Raw Data from GPU

In this paper, we present that security threats coming with existing GPU memory management strategy are overlooked, which opens a back door for adversaries to freely break the memory isolation: they enable adversaries without any privilege in a computer to recover the raw memory data left by previous processes directly. More importantly, such attacks can work on not only normal multi-user operating systems, but also cloud computing platforms. To demonstrate the seriousness of such attacks, we recovered original data directly from GPU memory residues left by exited commodity applications, including Google Chrome, Adobe Reader, GIMP, Matlab. The results show that, because of the vulnerable memory management strategy, commodity applications in our experiments are all affected

The Taxation and Accountancy of Luncheon Voucher

Accounting represent a privilege source of information for the fiscal bodies, the majority of fiscal obligations are being established on the basis of accounting data. There is interdependency between accounting and taxation, which is defining in the fiscal management of the enterprise. The accountancy is an element intended for obtaining pure and objective information, and therefore the intervention of taxation in accounting procedures is unacceptable. But accounting isn't perfect and therefore the fiscal body proposes itself t, as a user of the same information, to interpret them according to own interestslucheon voucher, taxation, accountancy, fiscal obligations, fiscal management

Experiencing privilege at ethnic, gender and senior intersections

Purpose: In management studies, assumptions surround the fixed, categorical and binary nature of male, ethnic and other privileges. Compared to white, middle-class men, ‘Others’ are typically assumed not to experience privilege. We counter this assumption by applying intersectionality to examine privilege’s juxtaposition with disadvantage. We offer an elaborated conceptualisation of organisational privilege and insight into the agency employed by individuals traditionally perceived as non-privileged. Approach: Using diaries and interviews, we analyse twenty micro-episodes from four senior minority ethnic women and men’s accounts of intersecting ethnic, gender and senior identities. We identify how privilege plays out at the juxtaposition of (male gender and hierarchical) advantage with (female gender and ethnic) disadvantage. Findings: The fluidity of privilege is revealed through contextual, contested and conferred dimensions. Additionally, privilege is experienced in everyday micro-level encounters and we illustrate how 'sometimes privileged' individuals manage their identities at intersections. Research Limitations: This in-depth analysis draws on a small sample of unique British minority ethnic individuals to illustrate dimensions of privilege. Practical and social implications: It is often challenging to discuss privilege. However, our focus on atypical wielders of power challenges binary assumptions of privilege. This can provide a common platform for dominant and non-dominant group members to share how societal and organisational privileges differentially impact groups. This inclusive approach could reduce dominant group members’ psychological and emotional resistance to social justice. Originality: Through bridging privilege and intersectionality perspectives, we offer a complex and nuanced perspective that contrasts against prevalent conceptions of privilege as invisible and uncontested

Examining Disequilibrium in an Immersion Experience

This study examines the disequilibrium raised by a cultural immersion experience, using the structure of White racial identity development, in an effort to better scaffold the immersion experience in the future. Thirty-two students participated in an immersion experience in Quito, Ecuador. The study follows their experience as they strive to make sense of their experience and begin to understand and unpack their own sense of privilege. The six stages of racial identity development are used as a grid through which to view and consider the experiences of teacher candidates in a cultural immersion experience. Two predominant themes included schools/classroom management, and language/culture/race

STRATEGI KOMUNIKASI MELALUI TELEPON (Studi Kualitatif Strategi Komunikasi dalam Penawaran Amarelo Adhiwangsa Privilege Card Melalui Telepon oleh Telemarketing Operator Amarelo Hotel Solo dan Adhiwangsa Hotel And Convention Hall Solo)

Iklim persaingan hotel di Kota Solo beberapa tahun belakangan ini menggeliat, hal ini dapat dilihat dari banyaknya pembangunan hotel baru yang terus bertambah. Persaingan dalam bisnis hotel tersebut membuat para pengusaha hotel berusaha untuk menghasilkan produk dan jasa yang menarik konsumen. Amarelo Hotel Solo dan Adhiwangsa Hotel And Convention Hall memiliki produk Amarelo Adhiwangsa Privilege Card yang memberikan berbagai keuntungan bagi pemiliknya. Dalam memasarkan Amarelo Adhiwangsa Privilege Card, management hotel menggunakan berbagai cara yaitu penawaran langsung kepada konsumen yang berkunjung ke hotel atau dengan mengirim perwaakilan hotel datang ke berbagai perusahaan dan penawaran melalui media. Media yang digunakan untuk memasarkan Amarelo Adhiwangsa Privilege Card antara lain Twitter, Facebook, Instagram, Website dan telepon. Namun begitu, jumlah konsumen yang bergabung dengan Amarelo Adhiwangsa Privilege Card jumlahnya lebih banyak dibandingkan dengan penawaran secara langsung atau menggunakan media lain. Penelitian ini menggunakan metode kualitatif. Bertujuan untuk mengetahui dan menganalisa bagaimana strategi komunikasi penawaran melalui telepon yang dilakukan oleh telemarketing operator Amarelo Hotel dan Adhiwangsa Hotel And Convention Hall, pengaruh apa yang ditimbulkan oleh strategi komunikasi melalui telepon tersebut. Kesimpulan yang dapat diambil dari penelitian ini adalah strategi komunikasi penawaran Amarelo Adhiwangsa Privilege Card melalui telepon dilakukan dengan tahap-tahap mengenal khalayak, menyusun pesan, menetapkan metode dan seleksi penggunaan media. Sejauh ini pengaruh yang ditimbulkan oleh pelaksanaan strategi komunikasi pemasaran Amarelo Adhiwangsa Privilege Card melalui telepon bersifat positif yaitu bertambahnya jumlah konsumen. Kata Kunci: strategi komunikasi, komunikasi melalui telepon, telemarketin