Achieving fine‐grained access control in virtual organizations

Zhang, Ning; Yao, Li; Nenadić, Aleksandra; Chin, Jay; Goble, Carole; Rector, Alan L.; Chadwick, David; Otenko, Sassa; Shi, Qi

doi:10.1002/cpe.1099

Cited by 10 publications

(8 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…-Authentication policy -says what level of authentication/assurance is required of requesting subjects who are to be allowed to access the associated data. Whilst it is possible to represent this policy in the authorization policy through the use of Level of Assurance, as for example as described in [28], by keeping this as a separate policy it allows the PEP to short circuit the whole authorization process if the requesting subject has not been authenticated sufficiently. -Data manipulation policy -provides rules for how the associated data (usually PII) can be transformed, enriched or aggregated with other personal data of the same data subject or of other data subjects.…”

Section: Sticky Policy Contentsmentioning

confidence: 99%

A privacy preserving authorisation system for the cloud

Chadwick

Fatema

2012

Journal of Computer and System Sciences

View full text Add to dashboard Cite

In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of users' data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the users' privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.

show abstract

Section: Sticky Policy Contentsmentioning

confidence: 99%

A privacy preserving authorisation system for the cloud

Chadwick

Fatema

2012

Journal of Computer and System Sciences

View full text Add to dashboard Cite

show abstract

“…(Whilst it is possible to represent LoAs in the authorization policy e.g. as described in [17], by keeping this as a separate policy it allows the PEP to short circuit the whole authorization process if the requesting subject has not been authenticated sufficiently.) -data manipulation policy -provides rules for how the associated data (usually PII) can be transformed, enriched or aggregated with other personal data of the same data subject or of other data subjects.…”

Section: Sticky Policy Contentsmentioning

confidence: 99%

An advanced policy based authorisation infrastructure

Chadwick¹,

Fatema²

2009

Proceedings of the 5th ACM Workshop on Digital Identity Management

View full text Add to dashboard Cite

show abstract

“…ABAC is a generalization of the well‐known role‐based access control (RBAC) model 3, in which a role is not restricted to an organizational role, but can be any attribute of the subject, such as a professional qualification or their current level of authentication (LoA) 4. In the following discussion we will refer to roles, on the assumption that we mean any attribute that can be assigned to a subject.…”

Section: Conceptual Modelsmentioning

confidence: 99%

PERMIS: a modular authorization infrastructure

Chadwick

Zhao

Otenko

et al. 2008

Concurrency and Computation

View full text Add to dashboard Cite

Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role-based authorization infrastructure along with its conceptual authorization, access control, and trust models. PERMIS has the novel concept of a credential validation service, which verifies a user's credentials prior to access control decision-making and enables the distributed management of credentials. PERMIS also supports delegation of authority; thus, credentials can be delegated between users, further decentralizing credential management. Finally, PERMIS supports history-based decision-making, which can be used to enforce such aspects as separation of duties and cumulative use of resources. Details of the design and the implementation of PERMIS are presented along with details of its integration with Globus Toolkit, Shibboleth, and GridShib. A comparison of PERMIS with other authorization and access control implementations is given, along with suggestions where future research and development are still needed.They provide facilities to manage user privileges, render access control decisions, and process the related information. Different types of policies may be supported, such as credential issuing policies, access control policies, delegation policies, and credential validation policies. These policies contain the rules and criteria that specify how user privileges (or credentials, which are digitally signed assertions made by some authority about a user's privileges) are managed and access control decisions are made. In the context of distributed Grid systems spanning multiple domains, policybased authorization systems bring a number of specific advantages such as: they can control the issuing of credentials in one domain and allow the autonomous delegation of privileges between users. They can then separately control the validation of these credentials in the resource domain, and allow each resource owner to independently say who he/she trusts to issue which credentials to whom, and which access rights these valid credentials should have. This is an important feature that most Grid systems today do not have.The authorization infrastructure that we have built is called PERMIS [1]. This paper describes the various components of the PERMIS authorization infrastructure, the conceptual models that lie behind them, and the standards that we have used. We conclude by comparing our work with that of others and by describing some of the future work that still needs to be done. The rest of this paper is structured as follows. Section 2 provides the conceptual models of our authorization infrastructure. Section 3 describes the design and implementation of PERMIS. Section 4 presents PERMIS's integration with Globus Toolkit (GT), Shibboleth, and GridShib. Section 5 compares PERMIS with other related research. Section 6 concludes and indicates our plans for the future. CONCEPTUAL MODELS The access control...

show abstract

Achieving fine‐grained access control in virtual organizations

Cited by 10 publications

References 13 publications

A privacy preserving authorisation system for the cloud

A privacy preserving authorisation system for the cloud

An advanced policy based authorisation infrastructure

PERMIS: a modular authorization infrastructure

Contact Info

Product

Resources

About