1 / 8

Distributed Programmable Authorisation

Distributed Programmable Authorisation. David Chadwick. Initiator. Target. Submit Access Request. AEF. Present Access Request. Decision Request. Decision. ADF. X.812|ISO 10181 Access Control Framework. AEF = (Application dependent) Access control Enforcement Function

tabib
Download Presentation

Distributed Programmable Authorisation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Distributed Programmable Authorisation David Chadwick GALT 03

  2. Initiator Target Submit Access Request AEF Present Access Request Decision Request Decision ADF X.812|ISO 10181 Access Control Framework AEF = (Application dependent) Access control Enforcement Function ADF = (Application independent) Access control Decision Function GALT 03

  3. Application Access control Enforcement Function Policy Based Authorisation Today(based on ISO 10181-3) Authorisation Decision Request Authorisation Decision Initiator ADI Target ADI ADF Contextual Information Access Request ADI Retained ADI Access Control Policy Rules ADI=Access control Decision Information Example ADFs are Akenti, PERMIS, Cardea GALT 03

  4. Authorisation Today for Distributed Applications Distributed Application Site 3 Site 1 Site 2 AEF AEF AEF Decision Request Decision Decision Request Decision Request Decision Decision Standalone ADF Common policy GALT 03 Allows co-ordination, but bottleneck to performance

  5. Authorisation Today for Distributed Applications Distributed Application AEF AEF AEF Decision Request Decision Request Decision Request Decision Decision Decision ADF ADF ADF Site 2 Site 1 Site 3 Common policy GALT 03 Increased performance, but lacks co-ordination

  6. Authorisation Tomorrow for Distributed Applications Distributed Application AEF AEF AEF Decision Request Decision Request Decision Request Decision Decision Decision ADF Co-ordination Co-ordination ADF ADF Site 2 Site 1 Site 3 Site specific policy GALT 03 Performance and co-ordination

  7. How ? • By hierarchically decomposing distributed application authorisation policies into lower level site specific policies • Policies comprise rules for subjects, targets, actions and conditions: Who can access what in which way and under what conditions • Specify rules that say how targets and actions at the distributed application level are decomposed into targets and actions at the site specific level • E.g. UserA can run distributed application X on the Grid using a maximum of 3 MB of storage, might hierarchically decompose into • UserA can read File F from site1 and search DB2 at site2 providing no more than 3MB of data are retrieved in total • UserA can run the data processing application at any site with spare capacity • UserA can write output to their home site GALT 03

  8. Proposed Methodology and Technology • Specify rules in DAML/OIL/OWL for policy decomposition and produce an authorisation ontology • Build a user friendly interface for policy/rule creation, based on a configurable ontology • Use JTP from Stanford University, a DAML/OIL reasoning engine that can make inferences • Build a reasoning compiler using the above that will read in the ontology and the application specific rules, and will produce site specific policies in XACML • Build a secure policy distribution mechanism • Build a co-ordination capability between either the site specific ADFs or a central co-ordinating ADF GALT 03

More Related