Change search
Refine search result
1 - 19 of 19
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1. Alqatawna, Ja´far
    et al.
    Rissanen, Erik
    RISE, Swedish ICT, SICS.
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    Overriding of Access Control in XACML2007In: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 2007, 1, , p. 9Conference paper (Refereed)
    Abstract [en]

    Most access control mechanisms focus on how to define the rights of users in a precise way to prevent any violation of the access control policy of an organization. However, in many cases it is hard to predefine all access needs, or even to express them in machine readable form. One example of such a situation is an emergency case which may not be predictable and would be hard to express as a machine readable condition. Discretionary overriding of access control is one way for handling such hard to define and unanticipated situations where availability is critical. The override mechanism gives the subject of the access control policy the possibility to override a denied decision, and if the subject should confirm the override, the access will be logged for special auditing. XACML, the eXtensible Access Control Markup Language, provides a standardized access control policy language for expressing access control policies. This paper introduces a discretionary overriding mechanism in XACML. We do so by means of XACML obligations and also define a general obligation combining mechanism.

  • 2.
    Bandmann, Olav
    et al.
    RISE, Swedish ICT, SICS.
    Dam, Mads
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    Constrained delegation2002In: Proceedings of IEEE Symposium on Security and Privacy, 2002, 1, , p. 12Conference paper (Refereed)
    Abstract [en]

    Sometimes it is useful to be able to separate between the management of a set of resources, and the access to the resources themselves. Current accounts of delegation do not allow such distinctions to be easily made, however. We introduce a new model for delegation to address this issue. The approach is based on the idea of controlling the possible shapes of delegation chains. We use constraints to restrict the capabilities at each step of delegation. Constraints may reflect e.g. group memberships, timing constraints, or dependencies on external data. Regular expressions are used to describe chained constraints. We present a number of example delegation structures, based on a scenario of collaborating organisations.

  • 3.
    Dam, Mads
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS.
    Karlsson, Gunnar
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    A research agenda for distributed policy-based management2002In: Proceedings of RVK'02, Radiovetenskap och Kommunikation, 2002, 2Conference paper (Refereed)
    Abstract [en]

    Policy-based management is based on defining a set of global rules, according to which a network or distributed system must operate. In the last few years, policy-based management has begun to emerge as the dominant paradigm for developing network and systems management functions, primarily, since it can reduce complexity in management applications. Although attempts are underway to standardize policy-based management, significant research challenges remain. At KTH and SICS, a joint activity has been started to focus on some of the key issues. The paper outlines the research agenda for this activity.

  • 4. Jones, Andrew J. I.
    et al.
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    On the characterisation of a trusting agent: aspects of a formal approach2001In: Trust and deception in virtual societies, Kluwer Academic Publishers , 2001, 1, p. 157-168Chapter in book (Refereed)
  • 5.
    Rissanen, Erik
    et al.
    RISE, Swedish ICT, SICS.
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Discretionary overriding of access control in the privilege calculus2005In: Formal Aspects in Security and Trust: IFIP TC1 WG1.7 Workshop on Formal Aspects in Security and Trust (FAST), World Computer Congress, August 22-27, 2004, Springer , 2005, , p. 246p. 219-232Chapter in book (Refereed)
  • 6.
    Rissanen, Erik
    et al.
    RISE, Swedish ICT, SICS.
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Towards a mechanism for discretionary overriding of access control: position paper2004In: Proceedings of the twelfth international workshop on security protocols, 2004, 1, , p. 9Conference paper (Refereed)
  • 7.
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    Decentralised Privilege Management for Access Control2005Doctoral thesis, monograph (Other academic)
    Abstract [en]

    The Internet and the more recent technologies such as web services, grid computing, utility computing and peer-to-peer computing have created possibilities for very dynamic collaborations and business transactions where information and computational resources may be accessed and shared among autonomous and administratively independent organisations. In these types of collaborations, there is no single authority who can define access policies for all the shared resources. More sophisticated mechanisms are needed to enable flexible administration and enforcement of access policies. The challenge is to develop mechanisms that preserve a high level of control on the administration and the enforcement of policies, whilst supporting the required administrative flexibility. We introduce two new frameworks to address this issue. In the first part of the thesis we develop a formal framework and an associated calculus for delegation of administrative authority, within and across organisational boundaries, with possibilities to define various restrictions on their propagation and revocation. The extended version of the framework allows reasoning with named groups of users, objects, and actions, and a specific subsumes relation between these groups. We also extend current discretionary access control models with the concept of ability, as a way of specifying when a user is able to perform an action even though not permitted to do so. This feature allows us to model detective access control (unauthorised accesses are logged for post-validation resulting in recovery and/or punitive actions) in addition to traditional preventative access control (providing mechanisms that guarantee no unauthorised access can take place). Detective access control is useful when prevention is either physically or economically impossible, or simply undesirable for one reason or another. In the second part of the thesis, we develop a formal framework for contractualbased access control to shared resources among independent organisations. We introduce the notion of entitlement in the context of access control models as an access permission supported by an obligation agreed in a contract between the access requester and the resource provider. The framework allows us to represent the obligations in a contract in structured way and to reason about their fulfilments and violations.

  • 8.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Dam, Mads
    RISE - Research Institutes of Sweden, ICT, SICS.
    Managing authorisations2002In: ERCIM News, ISSN 0926-4981, E-ISSN 1564-0094, no 49Article in journal (Other (popular science, discussion, etc.))
    Abstract [en]

    The problem of authorisation, delegation, and authorisation management in distributed systems has been studied at SICS for the last two years. Our main focus has been the development of delegation logic which is based on th eidea of delegation as the explicit yet constrained creation of new privileges.

  • 9.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Olsson, Olle
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Rissanen, Erik
    RISE, Swedish ICT, SICS.
    Managing authorisations in dynamic coalitions2003Conference paper (Refereed)
    Abstract [en]

    In this position paper we highlight issues concerning management of authorisation in coalitions. We identify two main issues related to the administration of authorisations in dynamic coalitions. The first issue concerns /decentralisation of administration/, and we show how an existing framework developed at SICS addresses this issue. The second issue concerns /decentralisation of enforcement/ of authorisation and we describe a new approach to address this issue by extending the current access control models with the notion of entitlement. The idea is that both authorisations and entitlements are specified in access contracts that coalition partners agree upon. These contracts can be used for automating access decision making by those controlling access to coalition resources.

  • 10.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Contractual access control2002Conference paper (Refereed)
    Abstract [en]

    In this position paper we discuss the issue of enforcing access policies in distributed environments where there is no central system designer/administrator, and consequently no guarantee that policies will be properly implemented by all components of the system. We argue that existing access control models, which are based on the concepts of permission and prohibition, need to be extended with the concept of entitlement. Entitlement to access a resource means not only that the access is permitted but also that the controller of the resource is obliged to grant the access when it is requested. An obligation to grant the access however does not guarantee that it will be granted: agents are capable of violating their obligations. In the proposed approach we discuss a Community Regulation Server that not only reasons about access permissions and obligations, but also updates the normative state of a community according to the contractual performance of its interacting agents.

  • 11.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Revocation in the privilege calculus2003In: Proceedings of the 1st International Workshop on Formal Aspects in Security and Trust (FAST), 2003, 1Conference paper (Refereed)
    Abstract [en]

    We have previously presented a framework for updating privileges and creating management structures by means of authority certificates. These are used both to create access-level permissions and to delegate authority to other agents. In this paper we extend the framework to support a richer set of revocation schemes. As in the original, we present an associated calculus of privileges, encoded as a logic program, for reasoning about certificates, revocations, and the privileges they create and destroy. The discussion of revocation schemes follows an existing classification in the literature based on three separate dimensions: resilience, propagation, and dominance. The first does not apply to this framework. The second is specified straightforwardly. The third can be encoded but raises a number offurther questions for future investigation.

  • 12.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Revocation schemes for delegated authorities2002In: Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks, 2002, 1Conference paper (Refereed)
    Abstract [en]

    We have an existing framework for updating privileges and creating management structures by means of authority certificates. These are used both to create access-level permissions and to delegate authority to other agents. Here we extend the framework to support a richer set of revocation schemes. The discussion of revocation follows an existing classification in the literature based on three separate dimensions: resilience, propagation, and dominance. The first does not apply to this framework. The second is specified straightforwardly. The third can be encoded but raises a number of further questions for future investigation.

  • 13.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    The Role of Agreements in Virtual Organizations2006In: Proactive Approach: Law Libraries, Stockholm Inst for Scandinavian Law , 2006, 1, , p. 465p. 297-303Chapter in book (Refereed)
  • 14.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Bandmann, Olav
    Using authority certificates to create management structures2001Conference paper (Refereed)
    Abstract [en]

    We address the issue of updating privileges in a dynamic environment by introducing authority certificates in a Privilege Management Infrastructure. These certificates can be used to create access-level permissions but also to delegate authority to other agents, thereby providing a mechanism for creating management structures and for changing these structures over time. We present a semantic framework for privileges and certificates and an associated calculus, encoded as a logic program, for reasoning about them. The framework distinguishes between the time a certificate is issued or revoked and the time for which the associated privilege is created. This enables certificates to have prospective and retrospective effects, and allows us to reason about privileges and their consequences in the past, present, and future. The calculus provides a verification procedure for determining, given a set of declaration and revocation certificates, whether a certain privilege holds.

  • 15.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek J.
    Power and permission in security systems1999In: Proccedings: Security Protocols, 7th International Workshop, Cambridge, UK, April 19-21, 1999, Springer, 1999, 1Conference paper (Refereed)
  • 16.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Sergot, Marek
    Squiciarrini, Anna
    Bertino, Elisa
    A framework for contractual resource sharing2004Conference paper (Refereed)
  • 17.
    Sadighi, Babak
    et al.
    RISE, Swedish ICT, SICS.
    Svensson, Kjell
    Decentraliserad rättighetshantering2003Conference paper (Refereed)
    Abstract [en]

    With the development of modern computer networks, a new advanced channel for communication emerges. The future Swedish defence will use multiple systems connected with high-speed networks for information sharing. Within this environment, the issue of administration of authorisation is crucial. SaabTech Systems and SICS have in collaboration developed a model and a prototype for decentralised administration of authorisations. The model is based on delegation of authorisations extended with a component to define constraints on delegations. This enables efficient decentralised administration that reflects the management structure of an organization in a natural way, at the same time as it maintains centralised control on the distribution of authorisations. All authorisations must fulfil constraints defined by their sources of authority. The source of authority may, for instance, define in advance how a certain authorisation can be distributed and used, in terms of whom and when it can be delegated. The model supports several schemes for revocation of authorization.

  • 18. Seitz, Ludwig
    et al.
    Rissanen, Erik
    RISE, Swedish ICT, SICS.
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    A Classification of Delegation Schemes for Attribute Authority2007In: Formal Aspects in Security and Trust, Springer , 2007, 1, p. 158-169Chapter in book (Refereed)
    Abstract [en]

    Recently assertions have been explored as a generalisation of certificates within access control. Assertions are used to link arbitrary attributes (e.g. roles, security clearances) to arbitrary entities (e.g. users, resources). These attributes can then be used as identifiers in access control policies to refer to groups of users or resources. In many applications attribute management does not happen within the access control system. External entities manage attribute assignments and issue assertions that are then used in the access control system. Some approaches also allow for the delegation of attribute authority, in order to spread the administrative workload. In such systems the consumers of attribute assertions issued by a delegated authority need a delegation verification scheme. In this article we propose a classification for schemes that allow to verify delegated authority, with a focus on attribute assertion. Using our classification, one can deduce some advantages and drawbacks of different approaches to delegated attribute assertion. This work was carried out during the tenure of an ERCIM “Alain Bensoussan” Fellowship Programme.

  • 19. Seitz, Ludwig
    et al.
    Rissanen, Erik
    RISE, Swedish ICT, SICS.
    Sandholm, Toumas
    Sadighi, Babak
    RISE, Swedish ICT, SICS.
    Mulmo, Olle
    Policy Administration Control and Delegation using XACML and Delegent2005Conference paper (Refereed)
    Abstract [en]

    In this paper we present a system permitting controlled policy administration and delegation using the XACML access control system. The need for these capabilities stems from the use of XACML in the SweGrid Accounting System, which is used to enforce resource allocations to Swedish research projects. Our solution uses a second access control system Delegent, which has powerful delegation capabilities. We have implemented limited XML access control in Delegent, in order to supervise modifications of the XML-encoded XACML policies. This allows us to use the delegation capabilities of Delegent together with the expressive access level permissions of XACML.

1 - 19 of 19
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.35.7