Chadwick, David W. and Otenko, Alexander (2004) Implementing Role Based Access Controls using X.509 Privilege Management - the PERMIS Authorisation Infrastructure. In: Jerman-Blazic, B. and Schneider, W.S. and Klobucar, T., eds. Security and Privacy in Advanced Networking Technologies. NATO Science Series, 193 . IOS Press, pp. 26-39. ISBN 1576034308. (KAR id:14043)
PDF
Language: English |
|
Download this file (PDF/135kB) |
Preview |
Request a format suitable for use with assistive technology e.g. a screenreader |
Abstract
This paper describes the PERMIS role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users roles. Users roles can be assigned by multiple widely distributed management authorities (called Attribute Authorities in X.509), thereby easing the burden of management. All the ACs can be stored in one or more LDAP directories, thus making them widely available. The PERMIS distribution includes a Privilege Allocator GUI tool, and a bulk loader tool, that allow administrators to construct and sign ACs and store them in an LDAP directory ready for use by the PERMIS decision engine. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 AC, thus guaranteeing its integrity and trustworthiness. Authorization policies are written in XML according to a DTD that has been published at XML.org. A user friendly policy management tool is also being built that will allow non- technical managers to easily specify PERMIS authorisation policies. The access control decision engine is written in Java and has both a Java API and SAML-SOAP interface, allowing it to be called either locally or remotely. The Java API is simple to use, comprising of just 3 methods and a constructor. The SAML-SOAP interface conforms to the OASIS SAMLv1.1 specification, as profiled by a Global Grid Forum draft standard, thus making PERMIS suitable as an authorisation server for Grid applications.
Item Type: | Book section |
---|---|
Additional information: | Proceedings of the NATO Advanced Networking Workshop on Advanced Security Technologies in Networking, Bled, Slovenia, 15-18 September 2003 |
Subjects: | Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming, |
Divisions: | Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing |
Depositing User: | Mark Wheadon |
Date Deposited: | 24 Nov 2008 18:01 UTC |
Last Modified: | 05 Nov 2024 09:48 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/14043 (The current URI for this page, for reference purposes) |
- Link to SensusAccess
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):