Ken Moody

A model of OASIS role-based access control and its support for active security

OASIS is a role-based access control architecture for achieving secure interoperation of services in an open, distributed environment. The aim of OASIS is to allow autonomous management domains to specify their own access control policies and to interoperate subject to service level agreements (SLAs). Services define roles and implement formally specified policy to control role activation and service use; users must present the required credentials, in an appropriate context, in order to activate a role or invoke a service. All privileges are derived from roles, which are activated for the duration of a session only. In addition, a role is deactivated immediately if any of the conditions of the membership rule associated with its activation becomes false. These conditions can test the context, thus ensuring active monitoring of security.To support the management of privileges, OASIS introduces appointment. Users in certain roles are authorized to issue other users with appointment certificates, which may be a prerequisite for activating one or more roles. The conditions for activating a role at a service may include appointment certificates as well as prerequisite roles and constraints on the context. An appointment certificate does not therefore convey privileges directly but can be used as a credential for role activation. The lifetime of appointment certificates is not restricted to the issuing session, so they can be used as long-lived credentials to represent academic and professional qualification, or membership of an organization.Role-based access control (RBAC), in associating privileges with roles, provides a means of expressing access control that is scalable to large numbers of principals. However, pure RBAC associates privileges only with roles, whereas applications often require more fine-grained access control. Parametrized roles extend the functionality to meet this need.We motivate our approach and formalise OASIS. We first present the overall architecture through a basic model, followed by an extended model that includes parametrization.

Generic support for distributed applications

In the late 1980s, software designers introduced middleware platforms to support distributed computing systems. Since then, the rapid evolution of technology has caused an explosion of distributed-processing requirements. Application developers now routinely expect to support multimedia systems and mobile users and computers. Timely response to asynchronous events is crucial to such applications, but current platforms do not adequately meet this need. Another need of existing and emerging applications is the secure interoperability of independent services in large-scale, widely distributed systems. Information systems serving organizations such as universities, hospitals, and government agencies require cross-domain interaction. To meet the needs of these applications, Cambridge University researchers developed middleware extensions that provide a flexible, scalable approach to distributed-application development. This article details the extensions they developed, explaining their distributed software approach and the support it has provided for emerging applications.

Using trust and risk in role-based access control policies

Emerging trust and risk management systems provide a framework for principals to determine whether they will exchange resources, without requiring a complete definition of their credentials and intentions. Most distributed access control architectures have far more rigid policy rules, yet in many respects aim to solve a similar problem. This paper elucidates the similarities between trust management and distributed access control systems by demonstrating how the OASIS access control system and its rôle-based policy language can be extended to make decisions on the basis of trust and risk analyses rather than on the basis of credentials alone. We apply our new model to the prototypical example of a file storage and publication service for the Grid, and test it using our Prolog-based OASIS implementation.

Access control in an open distributed environment

We describe an architecture for secure, independent, interworking services (Oasis). Each service is made responsible for the classification of its clients into named roles, using a formal logic to specify precise conditions for entering each role. A client becomes authenticated by presenting credentials to a service that enable the service to prove that the client conforms to its policy for entry to a particular role. During authentication a data structure is created that embodies the proof. An authenticated client is issued a role membership certificate (RMC) for its subsequent use with that service. An RMC is an encryption-protected capability which includes the role name, the identity of the principal to which it was issued and a reference to the issuing service. A proof rule of one service may refer to an authenticated user of another; that is, an RMC issued by one service may be required as a credential during authentication by another. A dynamic proof tree may thus be built which exhibits amongst other things the trust relationships between the services which the client has entered. The paper shows how a service may define a set of proof rules (Horn clauses) that specify who may use it and in what way. Delegation of rights may be expressed naturally within these rules. It goes on to present the design details of the system. The system is inherently decentralised and has a tuneable reaction to network or server failure which allows services to make appropriate decisions when authorization or revocation information is unavailable. A prototype system has been implemented and tested.

Role-based access control for publish/subscribe middleware architectures

Research into publish/subscribe messaging has so far done little to propose architectures for the support of access control, yet this will be an increasingly critical requirement as systems move to Internet-scale. This paper discusses the general requirements of publish/subscribe systems with access control. We then present our specific integration of OASIS role-based access control into the Hermes publish/subscribe middleware platform. Our system supports many advanced features, such as the ability to work within a network where nodes are attributed different levels of trust, and employs a variety of access restriction methods which balance expressiveness with the content-based routing optimisations available. We illustrate our achievements by discussing an application scenario in which our system will be of particular use.

Access Control and Trust in the Use of Widely Distributed Services

OASIS is a role-based access control architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralised, roles are parametrised, and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment. Services define roles and establish formally specified policy for role activation and service use; users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false. Instead of privilege delegation OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long lived credentials such as academic and professional qualification or membership of an organisation. The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains, and discuss how it can be used in a global environment where roving principals, in possession of appointment certificates, encounter and wish to use services. We propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each others credentials. We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust.

Meta-policies for distributed role-based access control systems

In this paper meta-policies for access control policies are presented. There has been a lot of research into the various ways of specifying policy for a single domain. Such domains are autonomous and can be managed by the users or by a specific system administrator It is often helpful to have a more general policy description in order to restrict the ways in which policy can be modified. Meta-policies fill this particular role. With their help changes to policy can be made subject to predefined constraints. Meta-policies are long lived and so can provide users with stable information about the policy of the system. In addition they can provide bodies external to a domain with relevant but restricted information about its policies, so forming a basis for co-operation between domains. For example, a domains meta-policy can function as a policy interface, thus establishing a basis for agreement on the structure of the objects accessed In this way it is possible to build service level agreements between domains automatically.

Toward open, secure, widely distributed services

The OASIS open architecture controls the interoperation of independent services in distributed environments, including the constant monitoring of security conditions, as illustrated by a U.K. application in health-record management.

Risk models for trust-based access Control(TBAC)

The importance of risk in trust-based systems is well established. This paper presents a novel model of risk and decision-making based on economic theory. Use of the model is illustrated by way of a collaborative spam detection application.

Policy-Based Information Sharing in Publish/Subscribe Middleware

Healthcare is a highly collaborative environment, where the active sharing of information is central to the care process. Due to the sensitive nature of medical information, care providers are responsible for protecting data, controlling the circumstances in which it is released to others. The publish/subscribe (pub/sub) communication paradigm is useful for data dissemination, as it allows parties to specify their interest in receiving particular information. However, general pub/sub implementation frameworks lack mechanisms to control the flow of data. This paper describes the details of a model to define and enforce fine-grained information sharing policies in an active notification environment. The model, built above a pub/sub middleware, allows policy definitions to control information flow by 1) specifying the conditions for data access, and 2) tailoring information to suit particular circumstances.