Skip to main content
Kent Academic Repository

Implementing Role Based Access Controls using X.509 Privilege Management - the PERMIS Authorisation Infrastructure

Chadwick, David W. and Otenko, Alexander (2004) Implementing Role Based Access Controls using X.509 Privilege Management - the PERMIS Authorisation Infrastructure. In: Jerman-Blazic, B. and Schneider, W.S. and Klobucar, T., eds. Security and Privacy in Advanced Networking Technologies. NATO Science Series, 193 . IOS Press, pp. 26-39. ISBN 1576034308. (KAR id:14043)


This paper describes the PERMIS role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users roles. Users roles can be assigned by multiple widely distributed management authorities (called Attribute Authorities in X.509), thereby easing the burden of management. All the ACs can be stored in one or more LDAP directories, thus making them widely available. The PERMIS distribution includes a Privilege Allocator GUI tool, and a bulk loader tool, that allow administrators to construct and sign ACs and store them in an LDAP directory ready for use by the PERMIS decision engine. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 AC, thus guaranteeing its integrity and trustworthiness. Authorization policies are written in XML according to a DTD that has been published at A user friendly policy management tool is also being built that will allow non- technical managers to easily specify PERMIS authorisation policies. The access control decision engine is written in Java and has both a Java API and SAML-SOAP interface, allowing it to be called either locally or remotely. The Java API is simple to use, comprising of just 3 methods and a constructor. The SAML-SOAP interface conforms to the OASIS SAMLv1.1 specification, as profiled by a Global Grid Forum draft standard, thus making PERMIS suitable as an authorisation server for Grid applications.

Item Type: Book section
Additional information: Proceedings of the NATO Advanced Networking Workshop on Advanced Security Technologies in Networking, Bled, Slovenia, 15-18 September 2003
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Mark Wheadon
Date Deposited: 24 Nov 2008 18:01 UTC
Last Modified: 16 Nov 2021 09:52 UTC
Resource URI: (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.