Ändra sökning
Länk till posten
Permanent länk

Direktlänk
BETA
Publikationer (10 of 19) Visa alla publikationer
Seitz, L., Rissanen, E. & Sadighi, B. (2007). A Classification of Delegation Schemes for Attribute Authority (1ed.). In: Formal Aspects in Security and Trust: (pp. 158-169). Springer
Öppna denna publikation i ny flik eller fönster >>A Classification of Delegation Schemes for Attribute Authority
2007 (Engelska)Ingår i: Formal Aspects in Security and Trust, Springer , 2007, 1, s. 158-169Kapitel i bok, del av antologi (Refereegranskat)
Abstract [en]

Recently assertions have been explored as a generalisation of certificates within access control. Assertions are used to link arbitrary attributes (e.g. roles, security clearances) to arbitrary entities (e.g. users, resources). These attributes can then be used as identifiers in access control policies to refer to groups of users or resources. In many applications attribute management does not happen within the access control system. External entities manage attribute assignments and issue assertions that are then used in the access control system. Some approaches also allow for the delegation of attribute authority, in order to spread the administrative workload. In such systems the consumers of attribute assertions issued by a delegated authority need a delegation verification scheme. In this article we propose a classification for schemes that allow to verify delegated authority, with a focus on attribute assertion. Using our classification, one can deduce some advantages and drawbacks of different approaches to delegated attribute assertion. This work was carried out during the tenure of an ERCIM “Alain Bensoussan” Fellowship Programme.

Ort, förlag, år, upplaga, sidor
Springer, 2007 Upplaga: 1
Serie
Lecture Notes in Computer Science ; 4691
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-21154 (URN)
Anmärkning

Also appeared in The fourth international Workshop on Formal Aspects in Security and Trust (FAST2006), 26-27 August 2006, Hamilton, Ontario, Canada.

Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Alqatawna, J., Rissanen, E. & Sadighi, B. (2007). Overriding of Access Control in XACML (1ed.). In: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks: . Paper presented at Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 13-15 June 2007, Bologna, Italy.
Öppna denna publikation i ny flik eller fönster >>Overriding of Access Control in XACML
2007 (Engelska)Ingår i: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 2007, 1, , s. 9Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the eXtensible Access Control Markup Language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.

Förlag
s. 9
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-22380 (URN)10.1109/POLICY.2007.31 (DOI)
Konferens
Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 13-15 June 2007, Bologna, Italy
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Sadighi, B. & Sergot, M. (2006). The Role of Agreements in Virtual Organizations (1ed.). In: Proactive Approach: Law Libraries: (pp. 297-303). Stockholm Inst for Scandinavian Law
Öppna denna publikation i ny flik eller fönster >>The Role of Agreements in Virtual Organizations
2006 (Engelska)Ingår i: Proactive Approach: Law Libraries, Stockholm Inst for Scandinavian Law , 2006, 1, , s. 465s. 297-303Kapitel i bok, del av antologi (Refereegranskat)
Ort, förlag, år, upplaga, sidor
Stockholm Inst for Scandinavian Law, 2006. s. 465 Upplaga: 1
Serie
Scandinavian Studies in Law
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-21153 (URN)9185142638 (ISBN)
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Sadighi, B. (2005). Decentralised Privilege Management for Access Control (2ed.). (Doctoral dissertation).
Öppna denna publikation i ny flik eller fönster >>Decentralised Privilege Management for Access Control
2005 (Engelska)Doktorsavhandling, monografi (Övrigt vetenskapligt)
Abstract [en]

The Internet and the more recent technologies such as web services, grid computing, utility computing and peer-to-peer computing have created possibilities for very dynamic collaborations and business transactions where information and computational resources may be accessed and shared among autonomous and administratively independent organisations. In these types of collaborations, there is no single authority who can define access policies for all the shared resources. More sophisticated mechanisms are needed to enable flexible administration and enforcement of access policies. The challenge is to develop mechanisms that preserve a high level of control on the administration and the enforcement of policies, whilst supporting the required administrative flexibility. We introduce two new frameworks to address this issue. In the first part of the thesis we develop a formal framework and an associated calculus for delegation of administrative authority, within and across organisational boundaries, with possibilities to define various restrictions on their propagation and revocation. The extended version of the framework allows reasoning with named groups of users, objects, and actions, and a specific subsumes relation between these groups. We also extend current discretionary access control models with the concept of ability, as a way of specifying when a user is able to perform an action even though not permitted to do so. This feature allows us to model detective access control (unauthorised accesses are logged for post-validation resulting in recovery and/or punitive actions) in addition to traditional preventative access control (providing mechanisms that guarantee no unauthorised access can take place). Detective access control is useful when prevention is either physically or economically impossible, or simply undesirable for one reason or another. In the second part of the thesis, we develop a formal framework for contractualbased access control to shared resources among independent organisations. We introduce the notion of entitlement in the context of access control models as an access permission supported by an obligation agreed in a contract between the access requester and the resource provider. The framework allows us to represent the obligations in a contract in structured way and to reason about their fulfilments and violations.

Serie
SICS dissertation series, ISSN 1101-1335
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-21293 (URN)
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Rissanen, E., Sadighi, B. & Sergot, M. (2005). Discretionary overriding of access control in the privilege calculus. In: Formal Aspects in Security and Trust: IFIP TC1 WG1.7 Workshop on Formal Aspects in Security and Trust (FAST), World Computer Congress, August 22-27, 2004: (pp. 219-232). Springer
Öppna denna publikation i ny flik eller fönster >>Discretionary overriding of access control in the privilege calculus
2005 (Engelska)Ingår i: Formal Aspects in Security and Trust: IFIP TC1 WG1.7 Workshop on Formal Aspects in Security and Trust (FAST), World Computer Congress, August 22-27, 2004, Springer , 2005, , s. 246s. 219-232Kapitel i bok, del av antologi (Refereegranskat)
Ort, förlag, år, upplaga, sidor
Springer, 2005. s. 246
Serie
IFIP International Federation for Information Processing ; 173
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-22353 (URN)9780387240503 (ISBN)
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Seitz, L., Rissanen, E., Sandholm, T., Sadighi, B. & Mulmo, O. (2005). Policy Administration Control and Delegation using XACML and Delegent (1ed.). In: : . Paper presented at Grid 2005 - 6th IEEE/ACM International Workshop on Grid Computing.
Öppna denna publikation i ny flik eller fönster >>Policy Administration Control and Delegation using XACML and Delegent
Visa övriga...
2005 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

In this paper we present a system permitting controlled policy administration and delegation using the XACML access control system. The need for these capabilities stems from the use of XACML in the SweGrid Accounting System, which is used to enforce resource allocations to Swedish research projects. Our solution uses a second access control system Delegent, which has powerful delegation capabilities. We have implemented limited XML access control in Delegent, in order to supervise modifications of the XML-encoded XACML policies. This allows us to use the delegation capabilities of Delegent together with the expressive access level permissions of XACML.

Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-21127 (URN)10.1109/GRID.2005.1542723 (DOI)
Konferens
Grid 2005 - 6th IEEE/ACM International Workshop on Grid Computing
Anmärkning

Published by IEEE Press.

Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Sadighi, B., Sergot, M., Squiciarrini, A. & Bertino, E. (2004). A framework for contractual resource sharing (1ed.). In: : . Paper presented at Proceedings of the IEEE 5th International Workshop on Policies for Distributed Systems and Networks.
Öppna denna publikation i ny flik eller fönster >>A framework for contractual resource sharing
2004 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Förlag
s. 10
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-22356 (URN)
Konferens
Proceedings of the IEEE 5th International Workshop on Policies for Distributed Systems and Networks
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Rissanen, E., Sadighi, B. & Sergot, M. (2004). Towards a mechanism for discretionary overriding of access control: position paper (1ed.). In: Proceedings of the twelfth international workshop on security protocols: . Paper presented at Twelfth international workshop on security protocols, 26-28 Apr 2004, Cambridge, UK..
Öppna denna publikation i ny flik eller fönster >>Towards a mechanism for discretionary overriding of access control: position paper
2004 (Engelska)Ingår i: Proceedings of the twelfth international workshop on security protocols, 2004, 1, , s. 9Konferensbidrag, Publicerat paper (Refereegranskat)
Förlag
s. 9
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-22354 (URN)
Konferens
Twelfth international workshop on security protocols, 26-28 Apr 2004, Cambridge, UK.
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Sadighi, B. & Svensson, K. (2003). Decentraliserad rättighetshantering (1ed.). In: : . Paper presented at Mässan för civil and militär beredskap (CIMI), 20-22 May 2003, Enköping, Sweden.
Öppna denna publikation i ny flik eller fönster >>Decentraliserad rättighetshantering
2003 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

With the development of modern computer networks, a new advanced channel for communication emerges. The future Swedish defence will use multiple systems connected with high-speed networks for information sharing. Within this environment, the issue of administration of authorisation is crucial. SaabTech Systems and SICS have in collaboration developed a model and a prototype for decentralised administration of authorisations. The model is based on delegation of authorisations extended with a component to define constraints on delegations. This enables efficient decentralised administration that reflects the management structure of an organization in a natural way, at the same time as it maintains centralised control on the distribution of authorisations. All authorisations must fulfil constraints defined by their sources of authority. The source of authority may, for instance, define in advance how a certain authorisation can be distributed and used, in terms of whom and when it can be delegated. The model supports several schemes for revocation of authorization.

Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-22437 (URN)
Konferens
Mässan för civil and militär beredskap (CIMI), 20-22 May 2003, Enköping, Sweden
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Sadighi, B., Olsson, O. & Rissanen, E. (2003). Managing authorisations in dynamic coalitions (1ed.). In: : . Paper presented at Mässan för civil and militär beredskap (CIMI), 20-22 May 2003, Enköping, Sweden.
Öppna denna publikation i ny flik eller fönster >>Managing authorisations in dynamic coalitions
2003 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

In this position paper we highlight issues concerning management of authorisation in coalitions. We identify two main issues related to the administration of authorisations in dynamic coalitions. The first issue concerns /decentralisation of administration/, and we show how an existing framework developed at SICS addresses this issue. The second issue concerns /decentralisation of enforcement/ of authorisation and we describe a new approach to address this issue by extending the current access control models with the notion of entitlement. The idea is that both authorisations and entitlements are specified in access contracts that coalition partners agree upon. These contracts can be used for automating access decision making by those controlling access to coalition resources.

Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:ri:diva-22435 (URN)
Konferens
Mässan för civil and militär beredskap (CIMI), 20-22 May 2003, Enköping, Sweden
Tillgänglig från: 2016-10-31 Skapad: 2016-10-31 Senast uppdaterad: 2018-08-20Bibliografiskt granskad
Identifikatorer
ORCID-id: ORCID iD iconorcid.org/0000-0003-0231-8015

Sök vidare i DiVA

Visa alla publikationer
v. 2.35.8