School of Computing

Adding support to XACML for multi-domain user to user dynamic delegation of authority

David W Chadwick, Sassa Otenko, and Tuan Anh Nguyen

International Journal of Information Security, 8(2):182-196, April 2009 [doi].


Abstract. We describe adding support for dynamic delegation of authority between users in multiple administrative domains, to the XACML model for authorisation decision making. Delegation of authority is enacted via the issuing of credentials from one user to another, and follows the role based access control model. We present the problems and requirements that such a delegation model demands, the policy elements that are necessary to control the delegation chains and a description of the architected solution. We propose a new conceptual entity called the Credential Validation Service (CVS) to work alongside the XACML PDP. We describe our implementation of the CVS and present performance measurements for validating delegated chains of credentials.

Download publication 474 kbytes (PDF)

Bibtex Record

author = {David W Chadwick and Sassa Otenko and Tuan Anh Nguyen},
title = {Adding Support to {XACML} for Multi-Domain User to User Dynamic Delegation of Authority },
month = {April},
year = {2009},
pages = {182-196},
keywords = {determinacy analysis, Craig interpolants},
note = {},
doi = {10.1007/s10207-008-0073-y },
url = {},
    publication_type = {article},
    submission_id = {24038_1280421449},
    journal = {International Journal of Information Security},
    volume = {8},
    number = {2},

School of Computing, University of Kent, Canterbury, Kent, CT2 7NF

Enquiries: +44 (0)1227 824180 or contact us.

Last Updated: 21/03/2014