Information Technology Reference
In-Depth Information
by these authorities, establish their authenticity and integrity and ensure account-
ability of policy authoring, including the non-repudiation of policy issuance. The
validity of the access policies authored by different administrators is established by
means of digital signatures from the policy issuing authority (e.g. the administrator
authoring a policy or a recognized authority vetting the administrator) and may be
time-limited and must be historically attested.
This access management capability also caters for policies addressing comple-
mentary concerns (operational and management) in a multi-administrative environ-
ment (see fig. 8.4). It supports policies about the following:
• Subjects access resources in a context, i.e. who can do what on which resource
and in which context. These policies are issued (and signed) by administrators
authorized to manage resources.
• Constraints on who can author policies access policies, such as the above, or on
who can delegate which access rights about which resources in what context.
• Obligations that instruct associated policy enforcement points.
Constrained administrative delegation (Rissanen and Firozabadi 2004) is a feature
that allows some administrative authorities to author (delegation constraint) policies
that constrain the applicability of (access) policies authored by other administra-
tive authorities. Constraints may take the form of rules that apply to a subset of the
available attribute types and policy evaluation algorithms. This allows, for example,
for safely delegating policy management rights empowering customers to manage
the rights of their users directly accessing in-cloud resources in the case of multi-
tenancy hosting scenarios, common in Data Centres and Cloud computing.
In all cases, there may not be any prior knowledge of the specific characteris-
tics of subjects, actions, resources and so on. Hence, there are no inherent implicit
assumptions about pre-existing organizational structures or resource or attribute
assignments. This is in contrast to access control lists and traditional role-based
access control frameworks in several ways:
• Attribute schemes and attribute assignment processes may evolve independently
of the access policies; different authorities can be in charge of attribute defini-
tion, attribute assignment, access policy authoring, and access control.
• During access policy evaluation, access decisions may consider environmental
attributes and other contextual information in addition to attributes of the subject,
resource and action. Contextual information evolves during the policy life-cycle.
• Policy administration and decision making may also be contextualised. Different
administration and/or command structures may manage independent life-cycle
models and policy groups associated with different contexts. Access policies
may also need to be executed within the scope of a particular context that influ-
ences the way in which their evaluation algorithms are being applied.
In some cases, it may also be necessary to ensure segregation of policy execution -
that is, that ensure no interference between the policies being executed in different
contexts. This capability can create new policy stores and policy engine instances
on-demand for use in distinct contexts. This is particularly useful where in-depth
