Information Technology Reference
In-Depth Information
Figure 1. Managing data access at the home site / identity provider
As shown in Figure 1, the user's home organization
has the role of a FIM identity provider (IDP). All
user data is stored in a local identity repository; this
repository is usually realized as an LDAP-based
enterprise directory, but for smaller deployments
also relational database management systems
(RDBMS) are being used in practice. A policy
decision point (PDP) is used to determine which
user attributes, such as name or email address,
may be released to which service provider; this
workflow has coined the terms attribute release
policies (ARPs) and attribute release filtering
(ARF).
Common to most current research approaches
in this area is, in fact, the use of policy-based
management. Thus, the technical architectures
are quite similar and involve, among other com-
ponents, policy repositories, policy decision
points, and policy enforcement points (PEP). They
differ, however, in the policy language that is
actually being used: On the one hand, the lan-
guage's expressiveness is relevant, e.g., whether
and which usage purposes and obligations, for
example concerning data retention limits, can be
specified. On the other hand, arithmetical proper-
ties, such as efficiently calculating policy set
intersections, are of major concern. Well-known
approaches include Tschantz and Krishnamurthi
(2006) and Spantzel, Squicciarini, and Bertino
(2005), which put an emphasis on efficient nego-
tiation handling and policy evaluation. A more
detailed overview can be found in our previous
work (Hommel, 2005a).
However, these approaches require the a
priori definition of policies, which may be too
complicated for many users. Thus, interactive
solutions have been proposed by both research
(e.g., Pfitzmann, 2002; Pettersson et al., 2005) and
industry, e.g., the Liberty Alliance interaction ser-
vice (Aarts, 2004). To enhance these approaches,
Search WWH ::
Custom Search