Authorisation - Explore the Science & Experts | ideXlab

Scan Science and Technology

Contact Leading Edge Experts & Companies

Authorisation

The Experts below are selected from a list of 75879 Experts worldwide ranked by ideXlab platform

David W Chadwick – 1st expert on this subject based on the ideXlab platform

  • Digital Identity Management – An advanced policy based Authorisation infrastructure
    Proceedings of the 5th ACM workshop on Digital identity management – DIM '09, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema

    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

  • an advanced policy based Authorisation infrastructure
    Digital Identity Management, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema

    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

  • Adding Authorisation to EduRoam
    , 2008
    Co-Authors: Gareth Owen, G. Beitis, David W Chadwick

    Abstract:

    EduRoam allows universities to cooperate to authenticate users as they roam between the federated institutions. However, authentication is not always sufficient since the host institution does not know how to differentiate between different groups of roaming users in order to give them access to different network resources. We have designed and built a fine grained Authorisation infrastructure which allows different groups of users to be given access to different network resources. The infrastructure uses JRadius to intercept radius server events and gain the appropriate Authorisation using the PERMIS Authorisation infrastructure. The Network Access Server (NAS) then grants access to the appropriate VLAN given the user’s access permissions.

Kaniz Fatema – 2nd expert on this subject based on the ideXlab platform

  • Adding privacy protection to policy based Authorisation systems
    , 2013
    Co-Authors: Kaniz Fatema

    Abstract:

    An Authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional Authorisation decision system, which is simply called Authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional Authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an Authorisation system that will provide privacy for personal data by including sticky Authorisation policies from the issuers and data subjects, to supplement the Authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data.

    A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the
    Authorisation system. Hence, the designed Authorisation system also includes the Authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection
    Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable.

    Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts.

    As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract.

    The Authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed Authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions.

  • an advanced policy based Authorisation infrastructure
    Digital Identity Management, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema

    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

  • Digital Identity Management – An advanced policy based Authorisation infrastructure
    Proceedings of the 5th ACM workshop on Digital identity management – DIM '09, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema

    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

Moritz Y Becker – 3rd expert on this subject based on the ideXlab platform

  • specification and analysis of dynamic Authorisation policies
    IEEE Computer Security Foundations Symposium, 2009
    Co-Authors: Moritz Y Becker

    Abstract:

    This paper presents a language, based on transaction logic, for specifying dynamic Authorisation policies, i.e., rules governing actions that may depend on and update the Authorisation state. The language is more expressive than previous dynamic Authorisation languages, featuring conditional bulk insertions and retractions of Authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.

  • CSF – Specification and Analysis of Dynamic Authorisation Policies
    2009 22nd IEEE Computer Security Foundations Symposium, 2009
    Co-Authors: Moritz Y Becker

    Abstract:

    This paper presents a language, based on transaction logic, for specifying dynamic Authorisation policies, i.e., rules governing actions that may depend on and update the Authorisation state. The language is more expressive than previous dynamic Authorisation languages, featuring conditional bulk insertions and retractions of Authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.