Information Technology Reference
In-Depth Information
vokes the functions of an object, etc. A is the set of all authorities, which are the privi-
leges of managing the authorization of permissions in PM. C is the set if all capabili-
ties, which are the privileges of exercising the activated permissions in PM. An entity
must log on a server to activate some permission before it can obtain its capability.
Two more practical authorization systems (see def. 1) can be derived from above
typed privilege model: (1) Management-level AS is a 5-tuple (E, A, E
×
PM,
∋
,
∝
),
where A and E
×
PM are instances for P and F in AS. Given e
∈
E, a
∈
A, p
∈
PM, f=(e',
pm)
f=(e', pm), then e can perform f, i.e., e can perform the
authorization of pm to entity e'; (2) Access-level AS is a 5-tuple (E, C, E
∈
E
×
PM=F, if e
∋
a and a
∝
×
PM,
∋
,
∝
),
where C and E
×
PM are instances for P and F in AS. Given e
∈
E, c
∈
C, p
∈
PM, f=(e',
pm)
f=(e', pm), then e can perform f, i.e., e can perform the
access to resources identified by pm on entity e'.
∈
E
×
PM=F, if e
∋
c and c
∝
n
DoA
o
DoA
p
Authorization
M
n
M
1
q
Permission Activation
S
U
r
DoC
u
Access Request
t
DoC
s
DoC
P
m
P
1
Fig. 2.
Access Control Model based-on Typed Delegation
Delegation of authorities (DoA) and delegation of capabilities (DoC) can be used
to construct access control models for widely distributed systems, as shown in fig. 2.
S is a resource owner and wants to share resources with entity U across several ad-
ministrative domains. In above access control model, S can make distributed
authorization to U by DoA (
no
) and direct authorization (
p
). S can also enable
proxy-based authentication for U by DoC (
rst
) and direct access request (
u
). The
path of DoA and the path of DoC are isolated by the process of permission activation
(
q
) on S requested by U. The policies for above scenarios will be further discussed
and specified in section 3.3.
Permission activation is a basic mechanism for least privilege principles [9]. Here
this mechanism is used to prevent the privilege transition: (1) before an entity can
delegate its access permission (
ATP
) to another entity, it must activate the permission
to obtain the capability from the server who is the source of the authority controlling
the permission. Thus the privilege transition from
ATP
to
MTP
can be controlled by
the server during activation. (2) on the other hand, if an entity entitled with some
authority (
MTP
) authorizes a permission to an entity discretionally, then when the
authorized entity activates the permission from the server, the server can check
whether such activation should be allowed (so the transition from
MTP
to
ATP
can be
controlled by the server).
In the paradigms of policy-based distributed systems management, privileges may
be extended to responsibilities and obligations. Delegation of responsibilities and
