Options
Decentralized authorization for inter-domain collaborations with iRBAC framework
Citation Link: https://doi.org/10.15480/882.1057
Other Titles
Dezentralisierte Zulassungsverfahren für Inter-Domain Kollaborationen mit iRBAC
Publikationstyp
Doctoral Thesis
Publikationsdatum
2011
Sprache
English
Author
Advisor
Gollmann, Dieter
Title Granting Institution
Technische Universität Hamburg
Place of Title Granting Institution
Hamburg
Examination Date
2011-12-22
Inter-domain collaborations are composed of a series of tasks, whose run-time environment stretches over heterogeneous systems governed by different sets of policies. Though the collaborators are willing to allow access to their services and resources from outside of their administrative domains in order to reach the common goals of collaborations, they still desire to retain control over deciding under which conditions their resources should be available and which internal information to disclose to their collaborators. For instance, personally identifiable information (PII) is one of the sensitive data collaborators wish to protect. However, more often than not PII is a prerequisite to granting access permissions when the user is from a different administrative domain. Within business-to-business (B2B) collaboration scenarios, however, information on the person’s role within the collaborations is actually more relevant than the PIIs.
In order to satisfy autonomous administrations of collaborators including protection of end-users’ PIIs, it is essential that authorization policies and mechanisms do not require exchanges of PIIs. Moreover, the administrations of the security policies are to be operated in a decentralized manner. This then opens up requirements of interoperability and scalability of an authorization solution for inter-domain collaborations in terms of policy specifications, enforcement, and administrations.
This thesis proposes an authorization solution that presents not only a model that provides a logical structure of security policies but also a methodology to guide the construction process of the policies and a set of modules that allows decentralized, autonomous administration of the security policies throughout their lifetime. Together these components render an authorization solution to collaborative systems built with standard protocols. In summary, the three components are:
* Model
is elaborated from role-based access control (RBAC) [ANS04] with an additional indirect layer called interactive Roles (iRoles). This layer abstracts authorized end-users within collaborators’ local domains. By introducing the additional indirection, iRoles enable autonomous policy administration on user–role and role–permission assignments. Equally importantly, it provides transparent linkage between local end-users in collaborators’ domains and functional roles in collaboration definitions.
* Methodology
is a step-by-step guideline that provides a process of building security policies based on this model. The end result of the process is a security policy built in terms of definitions of iRoles in the format of an eXtensible Access Control Mark-up Language (XACML) [Mos05] standardized policy, which is one of the most commonly used standards by the reference monitors.
* Modules
is a tool-set, also called the interactive RBAC (iRBAC), which enables decentralized operations of autonomous administration of the security policies built according to the methodology.
A unique contribution of this work is its full coverage of support for the different stages of the lifecycle of the security policies for inter-domain collaborations. Though a case study has been conducted, a real-time scaled deployment is yet to be applied. Additionally, suitable methods of evaluating this work are still to be established. Nonetheless, this thesis presents the bridging elements of an authorization solution to fill the gap between the works of research communities and the needs of the real world scenarios of inter-domain collaborations not in parts but as a whole composition.
In order to satisfy autonomous administrations of collaborators including protection of end-users’ PIIs, it is essential that authorization policies and mechanisms do not require exchanges of PIIs. Moreover, the administrations of the security policies are to be operated in a decentralized manner. This then opens up requirements of interoperability and scalability of an authorization solution for inter-domain collaborations in terms of policy specifications, enforcement, and administrations.
This thesis proposes an authorization solution that presents not only a model that provides a logical structure of security policies but also a methodology to guide the construction process of the policies and a set of modules that allows decentralized, autonomous administration of the security policies throughout their lifetime. Together these components render an authorization solution to collaborative systems built with standard protocols. In summary, the three components are:
* Model
is elaborated from role-based access control (RBAC) [ANS04] with an additional indirect layer called interactive Roles (iRoles). This layer abstracts authorized end-users within collaborators’ local domains. By introducing the additional indirection, iRoles enable autonomous policy administration on user–role and role–permission assignments. Equally importantly, it provides transparent linkage between local end-users in collaborators’ domains and functional roles in collaboration definitions.
* Methodology
is a step-by-step guideline that provides a process of building security policies based on this model. The end result of the process is a security policy built in terms of definitions of iRoles in the format of an eXtensible Access Control Mark-up Language (XACML) [Mos05] standardized policy, which is one of the most commonly used standards by the reference monitors.
* Modules
is a tool-set, also called the interactive RBAC (iRBAC), which enables decentralized operations of autonomous administration of the security policies built according to the methodology.
A unique contribution of this work is its full coverage of support for the different stages of the lifecycle of the security policies for inter-domain collaborations. Though a case study has been conducted, a real-time scaled deployment is yet to be applied. Additionally, suitable methods of evaluating this work are still to be established. Nonetheless, this thesis presents the bridging elements of an authorization solution to fill the gap between the works of research communities and the needs of the real world scenarios of inter-domain collaborations not in parts but as a whole composition.
Schlagworte
Zugriffskontrolle
Inter-Domain-Kolloboration
Sicherheitsrichtlinien
XACML
RBAC
access control
inter-domain collaboration
security policy
XACML
RBAC
DDC Class
004: Informatik
Loading...
Name
baker.pdf
Size
5.02 MB
Format
Adobe PDF