Meta-policies for Distributed Role-based Access Control Andrs - - PowerPoint PPT Presentation

▶

Oct 13, 2022 329 likes •481 views

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

SLIDE 1

Policy 2002 1

Meta-policies for Distributed Role-based Access Control

András Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA

SLIDE 2

Policy 2002 2

Outline

Role-Based Access Control
OASIS
Meta-Policies

– Meta-Policy Types – Compliance

Summary

SLIDE 3

Policy 2002 3

Role-Based Access Control

Roles Privileges

Activation

Sessions

Activation Authorization

SLIDE 4

Policy 2002 4

OASIS Rules

(Open Architecture for Secure Interworking Services) Activation Rule Prerequisite Role Environmental Predicates Appointment MC MC MC Authorization Rule Parameters Parameters Parameters

SLIDE 5

Policy 2002 5

Administrative Domains

Users Admin Policy SLA SLA SLA

SLIDE 6

Policy 2002 6

Problems

SLA maintenance

– New domain, change to a domain, …

Policy evolution
Information hiding
Information about the policy
Local Autonomy

SLIDE 7

Policy 2002 7

Meta-Policies

Data types
Objects (privileges)
Functions and Predicates
Roles (parameters)
Appointment Certificates (parameters)
Rules (membership conditions)
Explicit / Implicit
Negation
Constraints (SSoD, …)

SLIDE 8

Policy 2002 8

Meta-Policy Types

Compliance

– For a single domain

– Information for users – Higher level policies – Policy evolution

Interface

– Communication with other Domains

Meta-Pol Exp Imp

SLIDE 9

Policy 2002 9

Mappings

Meta-Policies are mapped to Policies

– Data-types (one-to-one, one directional) – Functions / Environmental Predicates – Roles / Appointments – Rules – Other Constraints (SSOD, …)

Policy or subset of a policy is considered
Direction of Mappings
Parameters (and constants)

SLIDE 10

Policy 2002 10

Compliance Check

Existence of the mappings
Prerequisite services?
Rules:
1. Translating into policy context
2. Checking explicit rules
3. Checking Implicit rules
Negation (entire policy is considered)
4. Other Constraints
Result: Certificate

SLIDE 11

Policy 2002 11

SLA generation

For Interface Meta-Policies:
Automatic generation

Exporting Importing Meta-Policy SLA

SLIDE 12

Policy 2002 12

Implementation

Desert: Mapping Editor SLA generator

SLIDE 13

Policy 2002 13

Summary

Meta-Policies (Compliance/Interface)
Implementation (Desert)

– Mapping editor – SLA generator

SLIDE 14

Policy 2002 14

Acknowledgement

King’s College Cambridge Graduate

Student Fund

Overseas Research Students Award Scheme