Chadwick, David W. (2007) Coordinated decision making in distributed applications. Information Security Technical Report, Elsevier, 12 (3). pp. 147-154. ISSN 1363-4127. (The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided)
This paper describes how it is possible to use today’s existing stateless PDPs such as the XACML PDP, to provide coordinated access control decision making throughout a distributed application. This is achieved by utilising an external database service to store the retained ADI that is needed by the PDPs. In this way the decision making can be coordinated and controlled throughout time and space. The retained ADI is modelled as coordination attributes of a coordination object, and coordination PIPs linked to each PDP access the coordination database service to retrieve the current values of the coordination attributes prior to the access control decision being made. Obligations in the access control policy define how the coordination attributes should be updated when the user is granted access to a resource. Three different modes of enforcing obligations are defined by a Chronicle directive, namely Chronicle ¼ Before, Chronicle ¼ After and Chronicle ¼ With. The paper describes how the coordinated decision making has been implemented in Globus Toolkit v4, by developing a Coordinated PDP that incorporates a coordination PIP, an Obligations Service that implements the Chronicle ¼ Before mode of operation, and a stateless PDP that makes the access control decisions; and an external coordination database grid service that has its own security controls to ensure that only Coordinated PDPs can access it. The paper concludes by discussing the implementation and indicating how the Chronicle ¼ After and Chronicle ¼ With modes of operation might also be supported in GT4.
|Subjects:||Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,|
|Divisions:||Faculties > Science Technology and Medical Studies > School of Computing > Security Group|
|Depositing User:||Mark Wheadon|
|Date Deposited:||24 Nov 2008 18:05|
|Last Modified:||24 Jun 2009 22:16|
|Resource URI:||https://kar.kent.ac.uk/id/eprint/14612 (The current URI for this page, for reference purposes)|