Horst F. Wedde und Mario Lischka
Modular Authorization
Proceedings of the sixth ACM Symposium on Access Control Models and Technologies (SACMAT), Hrsg.: Ravi Sandhu und Trent Jaeger, S. 97-105, AcmPress, Chantilly, Virginia, 2001-05-03
There are three major drawbacks of a centralized security administration in distributed systems: It creates a bottleneck for request handling, it tends to enforce homogeneous security structures in heterogeneous user groups and organizations, and it is a weak point in terms of security attacks, reliability, and fault tolerance. In this paper we introduce a distributed authorization concept which is based on a modular authorization language for supporting cooperating distributed authorization teams. These teams are partially ordered into a hierarchy in that they inherit authorization rules from higher order teams but still exercise their autonomy by (dynamically) setting local rules that serve the special local needs in distributed organizations. Conflicts between rules inherited from different higher ranking sources, or violations of higher order rules through local rules would be detected, on the logical level or through request evaluation, as contradictions or contradicting results, respectively. Conflict resolution mechanisms are presented, and examples are discussed extensively.