Distributed Programmable Authorisation

1. Distributed Programmable Authorisation David Chadwick GALT 03

2. Initiator Target Submit Access Request AEF Present Access Request Decision Request Decision ADF X.812|ISO 10181 Access Control Framework AEF = (Application dependent) Access control Enforcement Function ADF = (Application independent) Access control Decision Function GALT 03

3. Application Access control Enforcement Function Policy Based Authorisation Today(based on ISO 10181-3) Authorisation Decision Request Authorisation Decision Initiator ADI Target ADI ADF Contextual Information Access Request ADI Retained ADI Access Control Policy Rules ADI=Access control Decision Information Example ADFs are Akenti, PERMIS, Cardea GALT 03

4. Authorisation Today for Distributed Applications Distributed Application Site 3 Site 1 Site 2 AEF AEF AEF Decision Request Decision Decision Request Decision Request Decision Decision Standalone ADF Common policy GALT 03 Allows co-ordination, but bottleneck to performance

5. Authorisation Today for Distributed Applications Distributed Application AEF AEF AEF Decision Request Decision Request Decision Request Decision Decision Decision ADF ADF ADF Site 2 Site 1 Site 3 Common policy GALT 03 Increased performance, but lacks co-ordination

6. Authorisation Tomorrow for Distributed Applications Distributed Application AEF AEF AEF Decision Request Decision Request Decision Request Decision Decision Decision ADF Co-ordination Co-ordination ADF ADF Site 2 Site 1 Site 3 Site specific policy GALT 03 Performance and co-ordination

7. How ? • By hierarchically decomposing distributed application authorisation policies into lower level site specific policies • Policies comprise rules for subjects, targets, actions and conditions: Who can access what in which way and under what conditions • Specify rules that say how targets and actions at the distributed application level are decomposed into targets and actions at the site specific level • E.g. UserA can run distributed application X on the Grid using a maximum of 3 MB of storage, might hierarchically decompose into • UserA can read File F from site1 and search DB2 at site2 providing no more than 3MB of data are retrieved in total • UserA can run the data processing application at any site with spare capacity • UserA can write output to their home site GALT 03

8. Proposed Methodology and Technology • Specify rules in DAML/OIL/OWL for policy decomposition and produce an authorisation ontology • Build a user friendly interface for policy/rule creation, based on a configurable ontology • Use JTP from Stanford University, a DAML/OIL reasoning engine that can make inferences • Build a reasoning compiler using the above that will read in the ontology and the application specific rules, and will produce site specific policies in XACML • Build a secure policy distribution mechanism • Build a co-ordination capability between either the site specific ADFs or a central co-ordinating ADF GALT 03