School of Computing

Implementing Role Based Access Controls using X.509 Privilege Management - the PERMIS Authorisation Infrastructure

DW Chadwick and A Otenko

In Borka Jerman-Blazic, Wolfgang Schneider, and Tomaz Klobucar, editors, Security and Privacy in Advanced Networking Technologies, NATO Science Series, pages 182-196. IOS Press, 2004 Proceedings of the NATO Advanced Networking Workshop on Advanced Security Technologies in Networking, Bled, Slovenia, 15-18 September 2003.

Abstract

This paper describes the PERMIS role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users� roles. Users� roles can be assigned by multiple widely distributed management authorities (called Attribute Authorities in X.509), thereby easing the burden of management. All the ACs can be stored in one or more LDAP directories, thus making them widely available. The PERMIS distribution includes a Privilege Allocator GUI tool, and a bulk loader tool, that allow administrators to construct and sign ACs and store them in an LDAP directory ready for use by the PERMIS decision engine. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 AC, thus guaranteeing its integrity and trustworthiness. Authorization policies are written in XML according to a DTD that has been published at XML.org. A user friendly policy management tool is also being built that will allow non- technical managers to easily specify PERMIS authorisation policies. The access control decision engine is written in Java and has both a Java API and SAML-SOAP interface, allowing it to be called either locally or remotely. The Java API is simple to use, comprising of just 3 methods and a constructor. The SAML-SOAP interface conforms to the OASIS SAMLv1.1 specification, as profiled by a Global Grid Forum draft standard, thus making PERMIS suitable as an authorisation server for Grid applications.

Download publication 117 kbytes (PDF)

Bibtex Record

@incollection{2279,
author = {DW Chadwick and A Otenko},
title = {{Implementing Role Based Access Controls using X.509 Privilege Management - the PERMIS Authorisation Infrastructure}},
month = {unknown},
year = {2004},
pages = {182-196},
keywords = {determinacy analysis, Craig interpolants},
note = {Proceedings of the NATO Advanced Networking Workshop on Advanced Security Technologies in Networking, Bled, Slovenia, 15-18 September 2003},
doi = {},
url = {http://www.cs.kent.ac.uk/pubs/2004/2279},
    publication_type = {incollection},
    submission_id = {18960_1131442330},
    ISBN = {1576034308},
    booktitle = {Security and Privacy in Advanced Networking Technologies},
    publisher = {IOS Press},
    editor = {Borka Jerman-Blazic and Wolfgang Schneider and Tomaz Klobucar},
    series = {NATO Science Series},
}

School of Computing, University of Kent, Canterbury, Kent, CT2 7NF

Enquiries: +44 (0)1227 824180 or contact us.

Last Updated: 21/03/2014