Delegation of AuthorityJISCdemo.ppt

7/28/2019 Delegation of AuthorityJISCdemo.ppt

1/23

21 June 2006 Copyright 2006 University of Kent 1

Delegation of Authority

(DyVOSE project)

David Chadwick

University of Kent


2/23


What is Delegation of Authority?

Allowing someone to act on your behalf to

perform tasks (consume resources) that

are available to you

Delegator should be empowered to

delegate to anyone he needs to, subject to

certain organisation controls (i.e. the

organisations Delegation Policy)


3/23


How do you delegate to others

today?

To enter your house and fetch something

If your house if locked?

To use your PC If it is protected by a username andpassword?

To withdraw money from your bank

account

Using an ATM?


4/23


What is the problem with these

existing delegation mechanisms?

The other person usually masquerades as

you, or impersonates you

There is no control on what they can do

Anything you can do, they can do


5/23


What is a better solution?

The delegate should act in his own name,

not in yours

Then a full audit trail can be kept of who did

what

The delegate should have limited authority

So that you can delegate a fraction of your

powers


6/23


Resource

OwnerI authorise this Privilege Holder to use

this resource in the following ways

signed The Resource Owner

Privilege

Holder

I delegate authority to this End User

to use this resource in this limited way

signed The Privilege Holder

End User(Privilege

Holder)

Assigns

privilege to

Delegates privilege to

Can I use the

Resource

Assigning and Delegating

Privileges in Organisations


7/23


Privilege Checking in Organisations

Please purchase thisproduct from company X

signed the End User

EndUser

(Privilege

Holder)

Privilege Verifier

Q. Is this user authorised

to purchase these goods?

Issues a

command

(Asserts

Privilege)


8/23


Access Control Usually based on access control lists

This list of users can do these things Examples

Ed and Jake can read the exam results file on theKent University website

Jo and Zoe get 10% discount when electronicallyshopping at Tescos

PROBLEMS

You need to know the names of all the users Very difficult to scale to Internet proportions where

there are millions of users


9/23


Role Based Access Control

Users are given roles (or attributes) Holders of attributes are given access

permissions

Examples

Ed and Jake are Students at Kent University Students at Kent University can read the exam

results file on the website

Jo and Zoe are Tesco Clubcard holders

Tesco Clubcard holders get 10% discount whenshopping electronically at Tescos


10/23


Delegation of Authority with Role

Based Access Controls

Users who have attributes (or roles) candelegate these to other users

Users can also delegate subordinate roles

E.g. professor is superior to academic staff issuperior to PG student is superior to UGstudent

A professor can delegate the academic staffrole, or the PG student role or the UGstudent role so as to delegate partialprivileges


11/23


Assigning Privileges Electronically

- using X.509 Attribute Certificates

Bill

Alice

Bob

SOA

AA

Issues

AC to

Issues

AC to

End

Entity

AC

Points to issuer

Points to

holder

SOA = Source of Authority

AA = Attribute Authority

An Attribute Certificate

is a digitally signed

electronic document that

says that this holder has

been given these

attributes by this issuer


12/23


Main points of this system

Every delegated attribute (or role) is digitallysigned so that it cannot be tampered with oraltered

Each attribute certificate says who the delegator

and delegatee are (issuer and holder) Very secure way of delegating authority

BUT each user needs a digital signing key and

digital certificate How many of you have digital certificates and

signing keys?


13/23


Bill

Alice

Bob

SOA

AA

End

Entity

Issues

AC to

Issues

AC to

Delegation

Issuing

Service (DIS)

IssuesAC to

AC

Points to issuer

Points to

holder

Points to Issued On

Behalf Of

The Delegation Issuing Service


14/23


Advantages of the Delegation

Issuing Service

Users dont need to have signing keys since theDIS signs the Attribute Certificates on theirbehalf

The DIS keeps a central record (audit trail) ofwho has delegated what to whom

The DIS has a Delegation Policy to control whocan delegate what to whom

The process of privilege checking is veryefficient since all ACs are issued by the DIS (andnot by lots of different users)


15/23


LDAP

server

Authenticate

the User

DIS

IssueACWeb service

interfacepublishAC

PERMIS Decision

Engine

Sign

AC

Request

Authorisation

Delegation

Policy

Our DIS System


16/23


The Delegation of Authority Demo Public web page

Secure web page only available to users withResearcher role

Role Hierarchy

Anyone with Admin or Researcher role can

delegate Researcher role to anyone else in Staff

domain


17/23


Delegation Demo (cont)

Simon is already a researcher Simon would like to delegate to Sarah to

access his resource

Simon accesses the Delegation IssuingService and assigns the Researcher role to

Sarah

Sarah can now access the resource Simon then revokes the researcher role

Sarah no longer has access


18/23



19/23



20/23



21/23



22/23



23/23


Documents

Delegation of AuthorityJISCdemo.ppt