Delegation Assistance

By Achim D. Brucker, Helmut Petritsch, and Andreas Schaad.

Today’s IT systems typically comprise a fine-grained access control mechanism based on complex policies. The strict enforcement of these policies, at runtime, always contains the risk of hindering people in their regular work. An efficient support for assisted delegation can help in resolving the conflict between too tight access control and the required flexibility as well as support the resolution of conflicts. Here, assisted delegation means that, additional to denying the access, a user is informed about a list of users that could either grant him access to the requested resource or which could execute this task in behalf of the user. In this paper, we present an approach for determining a set of users which are able to resolve an access control conflict. This set is based on various information sources and are ordered with respect to different distance functions. We show that one distance function can be used to serve different types of contextual input, e.g., role hierarchies, geospatial information as well as shared business object structure data or social network graphs.

Keywords:
Delegation, Revocation, Policy Enforcement, Security Services, Security Architecture

Please cite this work as follows:
A. D. Brucker, H. Petritsch, and A. Schaad, “Delegation assistance,” in IEEE international symposium on policies for distributed systems and networks (POLICY), Jul. 2009, pp. 84–91. doi: 10.1109/POLICY.2009.35. Author copy: https://logicalhacking.com/publications/brucker.ea-delegation-2009/

BibTeX
@InProceedings{ brucker.ea:delegation:2009,
  author    = {Achim D. Brucker and Helmut Petritsch and Andreas Schaad},
  title     = {Delegation Assistance},
  booktitle = {IEEE International Symposium on Policies for Distributed
               Systems and Networks (POLICY) },
  year      = {2009},
  month     = {jul},
  areas     = {security},
  keywords  = {Delegation, Revocation, Policy Enforcement, Security
               Services, Security Architecture},
  publisher = {IEEE Computer Society },
  address   = {Los Alamitos, CA, USA },
  abstract  = {Today's IT systems typically comprise a fine-grained access
               control mechanism based on complex policies. The strict
               enforcement of these policies, at runtime, always contains the
               risk of hindering people in their regular work. An efficient
               support for assisted delegation can help in resolving the
               conflict between too tight access control and the required
               flexibility as well as support the resolution of conflicts.
               Here, assisted delegation means that, additional to denying
               the access, a user is informed about a list of users that
               could either grant him access to the requested resource or
               which could execute this task in behalf of the user. In this
               paper, we present an approach for determining a set of users
               which are able to resolve an access control conflict. This set
               is based on various information sources and are ordered with
               respect to different distance functions. We show that one
               distance function can be used to serve different types of
               contextual input, e.g., role hierarchies, geospatial
               information as well as shared business object structure data
               or social network graphs.},
  doi       = {10.1109/POLICY.2009.35},
  pages     = {84--91},
  isbn      = {978-0-7695-3742-9},
  note      = {Author copy: \url{https://logicalhacking.com/publications/brucker.ea-delegation-2009/}},
  pdf       = {https://logicalhacking.com/publications/brucker.ea-delegation-2009/brucker.ea-delegation-2009.pdf},
}