Walt Yao

A model of OASIS role-based access control and its support for active security

OASIS is a role-based access control architecture for achieving secure interoperation of services in an open, distributed environment. The aim of OASIS is to allow autonomous management domains to specify their own access control policies and to interoperate subject to service level agreements (SLAs). Services define roles and implement formally specified policy to control role activation and service use; users must present the required credentials, in an appropriate context, in order to activate a role or invoke a service. All privileges are derived from roles, which are activated for the duration of a session only. In addition, a role is deactivated immediately if any of the conditions of the membership rule associated with its activation becomes false. These conditions can test the context, thus ensuring active monitoring of security.To support the management of privileges, OASIS introduces appointment. Users in certain roles are authorized to issue other users with appointment certificates, which may be a prerequisite for activating one or more roles. The conditions for activating a role at a service may include appointment certificates as well as prerequisite roles and constraints on the context. An appointment certificate does not therefore convey privileges directly but can be used as a credential for role activation. The lifetime of appointment certificates is not restricted to the issuing session, so they can be used as long-lived credentials to represent academic and professional qualification, or membership of an organization.Role-based access control (RBAC), in associating privileges with roles, provides a means of expressing access control that is scalable to large numbers of principals. However, pure RBAC associates privileges only with roles, whereas applications often require more fine-grained access control. Parametrized roles extend the functionality to meet this need.We motivate our approach and formalise OASIS. We first present the overall architecture through a basic model, followed by an extended model that includes parametrization.

Access Control and Trust in the Use of Widely Distributed Services

OASIS is a role-based access control architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralised, roles are parametrised, and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment. Services define roles and establish formally specified policy for role activation and service use; users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false. Instead of privilege delegation OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long lived credentials such as academic and professional qualification or membership of an organisation. The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains, and discuss how it can be used in a global environment where roving principals, in possession of appointment certificates, encounter and wish to use services. We propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each others credentials. We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust.

Event Storage and Federation Using ODMG

The Cambridge Event Architecture has added events to an object-oriented, distributed programming environment by using a language independent interface definition language to specify and publish event classes. Here we present an extension to CEA using the ODMG standard, which unifies the transmission and storage of events. We extend the existing model with an ODL parser, an event stub generator, a metadata repository and an event library supporting both C++ and Java. The ODMG metadata interface allows clients to interrogate the system at run time to determine the interface specifications for subsequent event registration. This allows new objects to be added to a running system and independently developed components to interwork with minimum prior agreement. Traditional name services and interface traders can be defined more generally using object database schemas. Type hierarchies may be used in schemas. Matching at a higher level in the type hierarchy for different domains is possible even though different specialisations are used in individual domains. Using metadata to describe events provides the basis for establishing contracts between domains. These are used to construct the event translation layer between heterogeneous domains.

Fidelis: a policy-driven trust management framework

We describe Fidelis, a policy-driven trust management framework, designed for highly decentralized distributed applications, with many interoperating, collaborative but potentially distrusting principals. To address the trust management needs for such applications, Fidelis is designed to support the principle of separation of policies and credentials, and the notion of full domain autonomy. Based on these, credentials are considered simply as static data structures, much like membership cards in real life. Policies, which are autonomously specified, administered and managed, interpret and provide the semantics for these credentials. In this paper, we describe the Fidelis policy framework which serves as the abstract, conceptual foundation. We also describe a specific implementation of the policy framework, in the form of the Fidelis policy language. Both the syntax and the semantics of the language are described. A discussion is given to show that the Fidelis approach is attractive for many applications.

Access control and trust in the use of widely distributed services

OASIS is a role‐based access control (RBAC) architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralized, roles are parametrized, roles are activated within sessions and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment.

An architecture for distributed OASIS services

Role based access control promises a more flexible form of access control for distributed systems. Rather than basing access solely on the identity of a principal the decision also takes into account the roles that the principal currently holds. We present a distributed architecture that supports the O ASIS role based access control model. The O ASIS model is based on certificates held by the client and validated by credential records held by servers. We wish to replicate and distribute the credential records to support high availability and reduce latency for certificate validation. Protocols are presented for maintaining replicated credential databases and coping with both sever and network failures.