Delegation of Authority

Download Report

Transcript Delegation of Authority

Delegation of Authority
David Chadwick
[email protected]
Motivations
• To allow people to delegate roles to other
people, so that they can perform tasks that
were previously denied to them
• To ease the management of permissions
through distribution and delegation, which aids
scalability (as opposed to centralised control)
• To facilitate inter-organisation federations, by
allowing one organisation to leverage the role
allocations in another organisation and thereby
give them access to their resources in a
controlled manner
Assigning and Delegating Privileges
in Organisations
Resource
Owner
Assigns
privilege
Privilege
Holder
“I authorise this Privilege Holder to use
this resource in the following ways”
signed The Resource Owner
“I delegate authority to this End User
to use this resource in this limited way”
signed The Privilege Holder
End User
(Privilege
Holder)
Delegates privilege
The X.509 Delegation Service
AC
SOA
Points to
holder
Points to issuer
Bill Issues
Points to Issued On
Behalf Of
AC to
Issues
AC to
AA
Delegation
Policy
Alice
Issues
AC to
End
Entity
Bob
Delegation Policy
Issuing
Service (DIS)
DIS Communications
Web
browser SSL or
Shibboleth
DIS Web Service
DIS
Java
Web Service
Interface
Apache
DIS Web Service
Authenticate
DIS Client
Policy
Issuer’s
AC
Map
identities
Authn
name
Authzn
name
Request
Credential
Validation
PERMIS RBAC
DIS
PEP
Web service
interface
Authorisation
PDP
IssueAC
publishAC
LDAP
server
Sign
AC
Delegation
Issuing
Policy
Demonstration
• The DIS demo is available at
https://issrg-testbed.cs.kent.ac.uk:8443/dis.html
Acknowledgement
This work was funded under the JISC DyVOSE
project