Distributed programmable authorisation
Download
1 / 8

Distributed Programmable Authorisation - PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on

Distributed Programmable Authorisation. David Chadwick. Initiator. Target. Submit Access Request. AEF. Present Access Request. Decision Request. Decision. ADF. X.812|ISO 10181 Access Control Framework. AEF = (Application dependent) Access control Enforcement Function

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Distributed Programmable Authorisation' - tabib


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

X 812 iso 10181 access control framework

Initiator

Target

Submit

Access

Request

AEF

Present

Access

Request

Decision

Request

Decision

ADF

X.812|ISO 10181 Access Control Framework

AEF = (Application dependent) Access control Enforcement Function

ADF = (Application independent) Access control Decision Function

GALT 03


Policy based authorisation today based on iso 10181 3

Application Access control Enforcement Function

Policy Based Authorisation Today(based on ISO 10181-3)

Authorisation

Decision Request

Authorisation

Decision

Initiator ADI

Target ADI

ADF

Contextual

Information

Access Request ADI

Retained

ADI

Access Control Policy Rules

ADI=Access control Decision Information

Example ADFs are Akenti, PERMIS, Cardea

GALT 03


Authorisation today for distributed applications
Authorisation Today for Distributed Applications

Distributed Application

Site 3

Site 1

Site 2

AEF

AEF

AEF

Decision

Request

Decision

Decision

Request

Decision

Request

Decision

Decision

Standalone ADF

Common policy

GALT 03

Allows co-ordination, but bottleneck to performance


Authorisation today for distributed applications1
Authorisation Today for Distributed Applications

Distributed Application

AEF

AEF

AEF

Decision

Request

Decision

Request

Decision

Request

Decision

Decision

Decision

ADF

ADF

ADF

Site 2

Site 1

Site 3

Common policy

GALT 03

Increased performance, but lacks co-ordination


Authorisation tomorrow for distributed applications
Authorisation Tomorrow for Distributed Applications

Distributed Application

AEF

AEF

AEF

Decision

Request

Decision

Request

Decision

Request

Decision

Decision

Decision

ADF

Co-ordination

Co-ordination

ADF

ADF

Site 2

Site 1

Site 3

Site specific policy

GALT 03

Performance and co-ordination


How ?

  • By hierarchically decomposing distributed application authorisation policies into lower level site specific policies

  • Policies comprise rules for subjects, targets, actions and conditions: Who can access what in which way and under what conditions

  • Specify rules that say how targets and actions at the distributed application level are decomposed into targets and actions at the site specific level

  • E.g. UserA can run distributed application X on the Grid using a maximum of 3 MB of storage, might hierarchically decompose into

    • UserA can read File F from site1 and search DB2 at site2 providing no more than 3MB of data are retrieved in total

    • UserA can run the data processing application at any site with spare capacity

    • UserA can write output to their home site

GALT 03


Proposed methodology and technology
Proposed Methodology and Technology

  • Specify rules in DAML/OIL/OWL for policy decomposition and produce an authorisation ontology

  • Build a user friendly interface for policy/rule creation, based on a configurable ontology

  • Use JTP from Stanford University, a DAML/OIL reasoning engine that can make inferences

  • Build a reasoning compiler using the above that will read in the ontology and the application specific rules, and will produce site specific policies in XACML

  • Build a secure policy distribution mechanism

  • Build a co-ordination capability between either the site specific ADFs or a central co-ordinating ADF

GALT 03


ad