150 likes | 699 Vues
Delegation of Authority. David Chadwick d.w.chadwick@kent.ac.uk. Motivations. To allow people to delegate roles to other people, so that they can perform tasks that were previously denied to them
E N D
Delegation of Authority David Chadwick d.w.chadwick@kent.ac.uk
Motivations • To allow people to delegate roles to other people, so that they can perform tasks that were previously denied to them • To ease the management of permissions through distribution and delegation, which aids scalability (as opposed to centralised control) • To facilitate inter-organisation federations, by allowing one organisation to leverage the role allocations in another organisation and thereby give them access to their resources in a controlled manner
Assigning and Delegating Privileges in Organisations “I authorise this Privilege Holder to use this resource in the following ways” signed The Resource Owner Resource Owner Assigns privilege “I delegate authority to this End User to use this resource in this limited way” signed The Privilege Holder Privilege Holder End User (Privilege Holder) Delegates privilege
Points to holder AC Points to issuer Points to Issued On Behalf Of Delegation Policy Policy The X.509 Delegation Service SOA Bill Issues AC to Issues AC to AA Alice Delegation Issuing Service (DIS) Issues AC to End Entity Bob
Apache DIS Java DIS Communications DIS Web Service Web browser SSL or Shibboleth Web Service Interface
Issuer’s AC Policy DIS Web Service Authenticate DIS Client Map identities Authn name Authzn name PERMIS RBAC Credential Validation Request Authorisation DIS PEP PDP Delegation Issuing Policy IssueAC Web service interface publishAC Sign AC LDAP server
Demonstration • The DIS demo is available at https://issrg-testbed.cs.kent.ac.uk:8443/dis.html Acknowledgement This work was funded under the JISC DyVOSE project