Coordinated decision making in distributed applications

This paper describes how it is possible to use today’s existing stateless PDPs such as the

XACML PDP, to provide coordinated access control decision making throughout a distributed

application. This is achieved by utilising an external database service to store the

retained ADI that is needed by the PDPs. In this way the decision making can be coordinated

and controlled throughout time and space. The retained ADI is modelled as coordination

attributes of a coordination object, and coordination PIPs linked to each PDP access the coordination

database service to retrieve the current values of the coordination attributes

prior to the access control decision being made. Obligations in the access control policy define

how the coordination attributes should be updated when the user is granted access to

a resource. Three different modes of enforcing obligations are defined by a Chronicle directive,

namely Chronicle ¼ Before, Chronicle ¼ After and Chronicle ¼ With. The paper

describes how the coordinated decision making has been implemented in Globus Toolkit

v4, by developing a Coordinated PDP that incorporates a coordination PIP, an Obligations

Service that implements the Chronicle ¼ Before mode of operation, and a stateless PDP

that makes the access control decisions; and an external coordination database grid service

that has its own security controls to ensure that only Coordinated PDPs can access it. The

paper concludes by discussing the implementation and indicating how the Chronicle ¼

After and Chronicle ¼ With modes of operation might also be supported in GT4.