Erik Rissanen

Towards a mechanism for discretionary overriding of access control

Because it is difficult to predict access needs in advance and the limitations of formal policy languages it is difficult to completely define an access control policy ahead of the actual use. We suggest the use of an policy language which allows for override of denied access in some cases for increased flexibility. The overrides should be audited and we suggest that the access control policy can be used for finding the people who should perform the audit.

Overriding of Access Control in XACML

Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the extensible access control markup language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.

Discretionary Overriding of Access Control in the Privilege Calculus

We extend a particular access control framework, the Privilege Calculus, with a possibility to override denied access for increased flexibility in hard to define or unanticipated situations. We require the overrides to be audited and approved by appropriate managers. In order to automatically find the authorities who are able to approve an override, we present an algorithm for authority resolution. We are able to calculate from the access control policy who can approve an override without the need for any additional information.

Towards a mechanism for discretionary overriding of access control (transcript of discussion)

Last year, the Swedish Prime Minister was stabbed to death in a shopping mall in Stockholm, and of course the police thoroughly investigated it. They had some privacy problems during the investigation: many policemen just looked at the case, because there was no access control on the police system. They didn’t have a whole system on-line, because they cannot really predict the needs of individual policemen, and they cannot really audit the whole thing either because there were so many accesses. In the case of the prime minister we suspect that something was going on because he was a famous person, and they know from experience that this tends to happen with famous people, but in the case of a policemen accessing his neighbour’s data, or something like that, then there is little reason to notice that something is going on.

Server based application level authorisation for Rotor

Delegent is an authorisation server developed to provide a single centralised policy repository for multiple applications with support for decentralised administration by means of delegation. The author investigates how to integrate Delegent with the Rotor implementation of the .NET framework and compare the features of Delegent with those of the existing application level authorisation models of .NET. He concludes that Delegent offers help for application developers and a decentralised administration model, which are not available in standard .NET, and that the .NET model is well suited to be extended to use an authorisation server.

Decentralized Access Control Management for Network Configuration

Configuration management is of great importance for network operators and service providers today. Sharing of resources between business parties with conflicting interests is a reality and raises many issues with respect to configuration management. One issue is access control to configuration data. A network operator or service provider needs appropriate tools, not only to control its networked resources, but also to specify how this control should be exercised. We propose an access control model for the IETF NETCONF network configuration protocol, based on the OASIS XACML access control standard, which allows a flexible and fine-grained control for NETCONF commands. Our approach does not require any additions to the NETCONF protocol and is independent of the configuration’s data-model. Furthermore our approach can easily be extended to cover new NETCONF functionality.

A classification of delegation schemes for attribute authority

Recently assertions have been explored as a generalisation of certificates within access control. Assertions are used to link arbitrary attributes (e.g. roles, security clearances) to arbitrary entities (e.g. users, resources). These attributes can then be used as identifiers in access control policies to refer to groups of users or resources. In many applications attribute management does not happen within the access control system. External entities manage attribute assignments and issue assertions that are then used in the access control system. Some approaches also allow for the delegation of attribute authority, in order to spread the administrative workload. In such systems the consumers of attribute assertions issued by a delegated authority need a delegation verification scheme. In this article we propose a classification for schemes that allow to verify delegated authority, with a focus on attribute assertion. Using our classification, one can deduce some advantages and drawbacks of different approaches to delegated attribute assertion.