1 / 25

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION . Presentation by: Ezedin S. Barka UAE University . Agenda. Role-Based Delegation Review of RBDM Framework RBDM0 RBDM1 Agent-Based Role Delegation (ARBDM) Flat Roles Hierarchical Roles Conclusion. Delegation.

eben
Télécharger la présentation

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University

  2. Agenda • Role-Based Delegation • Review of RBDM Framework • RBDM0 • RBDM1 • Agent-Based Role Delegation (ARBDM) • Flat Roles • Hierarchical Roles • Conclusion

  3. Delegation • Some active entity in a system delegates authority to another active entity to carry out some function on behalf of the former • Delegation can take many forms: • Human to machine, • Machine to machine, and perhaps even machine to human • Human to human (My Focus)

  4. Role-Based Delegation • What is delegated is a role • Authorization for delegation is also role-based Can-delegate Professor Assistant (TA)

  5. Related Work • The RBAC Models (well known and widely accepted) • Gasser and McDermott- Human to machine delegation. • Gladny-Machine to machine • Varadharajan- process to process delegation.

  6. The RBAC96 Model (Simplified) R Roles P Permissions U Users UA User Assignment PA Permission Assignment Simplified Version of RBAC96 Model RH Role Hierarchy U Users R Roles P Permissions UA User Assignment PA Permission Assignment Simplified Version of RBAC96 Model In Hierarchical roles

  7. RBDM Framework • Delegation Characteristics: • Permanence, • Monotonicity, • Totality, • Administration, • Levels of delegation, • Agreements • Cascading revocation • Grant-dependency revocation

  8. RBDM Framework ..Cont. • Addressing every characteristic as mutually exclusive is a formidable task, and can get very complicated • Used a systematic approach to reduce the large number of possible cases • Reduced cases were used to build the delegation models

  9. Done Under development Not done

  10. RBDM Models • Temporary delegation • RBDM0 (or TRBDM0) • RBDM1 (or TRBDM1) • Permanent delegation • PRBDM0 • PRBDM1 • Agent-based (ARBDM)

  11. Delegation in RBDM0 • Delegation is authorized by means of can-delegate relation: can delegate  RR. For example, AliceUser_O(Prof.) BobUser_O(TA) Alice delegates to Bob Professor Role TA Role (Bob,Prof.)UAD

  12. Delegation in ARBDM-Flat Roles • Delegation is temporary • Delegation isMonotonic (delegator does not loose his membership in the delegated role) • Delegation can be total or partial • Conducted in two ways: • By Role-Participant Agent • By Non-Role Participant Agent “Only the original member can delegate”.

  13. Delegation in ARBDM-Flat Roles…cont. • Delegation by Role-Participant Agent • Occurrences of Role-Participant Agent Delegation • Statically:the delegating role member delegates his role membership to a user who is a member of a predefined role (agent role) for the purpose of further delegating that role to another specified user. • Dynamically:the delegating role member can, dynamically, delegate his role to another user who meets a certain criteria “set by the security officer,” with the authority to further delegate thatrole. • Delegation by Non-Role Participant AgentOnly the original member can delegate

  14. Taxonomy for ARBDM

  15. ARBDM-Dynamic Role Participant Agent • Agent who is a third party is assigned to administer the delegation between two different users that belong to two different roles, and that agent has membership in the delegating role. • This means that the middleman “agent” has full power in the delegating role • This can be considered as a restricted two-step delegation. • A user who wishes to have a third party administers his role delegation can accomplish his wish by delegating his role to an agent with the authority to further delegate that role to another user that meets a criteria, qualifying him to a delegate user

  16. ARBDM-Dynamic Non-Role Participant Agent The ARBDM-DNRP model has the following components: • AR is an agent role, which is a regular role with added delegation administration responsibility. • UAA  U  R is many to many agent member to role assignment relation • UA = UAO  UAD  UAA • UAA UAD =  Agent and delegate members in the same role are disjoint. • Users_O (r) = {U  (U, r)  UAA} • Where: UA is the user assignment; UAO is the user assignment of the original members; UAD is the user assignment of the delegate members; and UAA is the assignment of the agent members.

  17. Delegation in ARBDM-DNRP: Controls role-role delegation by means of the relation can-delegate  R AR  R Revocation in ARBDM-DNRP: Two ways by using timeouts by allowing any original member of the delegating role to revoke the membership of any delegate member in that role (grant-independent revocation ). Delegation/Revocation in ARBDM-DNRP (Charlie, a)  UAD Delegating Role (a) Delegate Role (c) Charlie  User_O (c) Alice  User_O (a) (Bob, a)  UAA Bob delegates to Charlie Agent Role (b) Example of Agent Based Delegation-Dynamic-Non-Role Participant Agent

  18. ARBDM In Hierarchical Roles (ARBDMH) • Goal is to impose restrictions on which users can be delegated to and by which agent. • The notion of a prerequisite condition (CR) is a key part of ARBDMH.

  19. ARBDMH Basic Elements • Delegation can only be either downwards or cross. • Upwards is useless because senior roles inherit all the permission of their junior roles. • Due to the inheritance nature of role hierarchies, the agent is limited to a certain range of delegation. • A member of a role that is senior to the agent role is also an agent. • The addition of role hierarchy introduces a new notion for a user membership in a role: • The explicit role membership grants a user the authority to use the permissions of that role because of his/her direct membership to that role. • The implicit role membership, on the other hand, grants a user the authority to use the permissions of that role because of that user’s membership of a role that is senior to the given role. • original memberships and delegate memberships produces 4 different combinations of user memberships in each role at any given moment: original/explicit, original /implicit, delegate/explicit, and delegate/implicit • Only members of original/explicit and original/implicit roles can serve as agents.

  20. Delegation in ARBDMH • The role-role delegation is authorized in ARBDMH by the following relation: Can-delegate  AR  CR  2R

  21. Example of Delegation in ARBDMH Director Project lead 1 Project lead 2 Production QualityProductionQuality Engineer 1 Engineer 1 Engineer 2 Engineer 2 (PE1) (QE1)(PE2) (QE2) Engineer 1 Engineer 2 Engineering Department (ED) E An Example Agent Role Hierarchy Senior Delegating Agent (SDA) Department Delegating Agent (DDA) Project delegating Project delegating agent1 agent2 Example Role Hierarchy

  22. Example of Can-Delegate

  23. Revocation in ARBDMH • Two Approaches: • Revocation Using Timeout • A duration constraint is attached to each delegation relation so that when the assigned time expired, the delegation is also expired • Human Revocation • By either the security officer or by the original users in the delegating role

  24. Conclusion • Addressed the agent-based role delegation, which is one of delegation characteristics described in the literature by Barka and Sandhu [BS2000]. • Described a systematic approach in which an agent-based delegation can be implemented. • Identified two manifestations, role-participant agent and non-role participant agent, to delegation using agent-based role delegation. • Identified two additional modes in which these delegation can occur: static and dynamic. • Used the dynamic non-role participant agent, manifestation to develop a model for agent-based role delegation. • Models to describe the other manifestations can be similarly developed, thus were briefly mentioned.

  25. Questions ???

More Related