A Policy Framework for Access Management in Federated Information Sharing

  • Rafae Bhatti
  • Elisa Bertino
  • Arif Ghafoor
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 193)


Current mechanisms for distributed access management are limited in their capabilities to provide federated information sharing while ensuring adequate levels of resource protection. This work presents a policy-based framework designed to address these limitations for access management in federated systems. In particular, it supports: (i) decentralized administration while preserving local autonomy, (ii) fine-grained access control while avoiding rule-explosion in the policy,(iii) credential federation through the use of interoperable protocols, with support for single sign on for federated users, (iv) specification and enforcement of semantic and contextual constraints to support integrity requirements and contractual obligations, and (v) usage control in resource provisioning through effective session management. The paper highlights the significance of our policy-based approach in comparison with related mechanisms. It also presents a system architecture of our implementation prototype.

Key words

Federated Systems Policy-based Management XML Access Control 


  1. [1] Scholar
  2. [2] Scholar
  3. [3]
    S. D. C. di Vimercati, P. Samarati, “Access control in federated systems”, In proceedings of ACM New Security Paradigm Workshop, pages 87–99, Lake Arrowhead, CA, USA, 1996.Google Scholar
  4. [4]
    D. D. Clark, D. R. Wilson, “A comparison of commercial and military computer security policies,” In IEEE Symposium on Security and Privacy, pages 184–194, Oakland, April 1987.Google Scholar
  5. [5]
    R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, “Role-Based Access Control Models”, IEEE Computer 29(2): 38–47, IEEE Press, 1996.Google Scholar
  6. [6] Scholar
  7. [7] Scholar
  8. [8] Scholar
  9. [9] Scholar
  10. [10] Scholar
  11. [11] Scholar
  12. [12]
    M. Blaze, J. Feigenbaum, and A. D. Keromytis, “KeyNote: Trust management for public-key infrastructures,” in Security Protocols International Workshop, Springer LNCS, no. 1550, pp. 59–63, 1998.Google Scholar
  13. [13]
    C. M. Ellison, “SPKI requirements,” RFC 2692, Internet Engineering Task Force Draft IETF, Sept. 1999. See Scholar
  14. [14]
    A. Herzberg, Y. Mass, J. Mihaeli, D. Naor, and Y. Ravid, “Access control meets public key infrastructure, or: Assigning roles to strangers”, In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 2–14, 2000. IEEE Press.Google Scholar
  15. [15]
    N. Li, J. C. Mitchell, W. H. Winsborough, “Design of a role-based trust management framework”, In Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2002.Google Scholar
  16. [16]
    J. B. D. Joshi, R. Bhatti, E. Bertino, A. Ghafoor, “An Access Control Language for Multi-Domain Environments”, IEEE Internet Computing, vol. 8, no. 6, pp. 40–50, November/December 2004.CrossRefGoogle Scholar
  17. [17]
    J. B. D. Joshi, E. Bertino, U. Latif, A. Ghafoor, “Generalized Temporal Role Based Access Control Model (GTRBAC)”, IEEE Transaction on Knowledge and Data Engineering, vol. 17, no. 1, January 2005.Google Scholar
  18. [18]
    R. Bhatti, J. B. D. Joshi, E. Bertino, A. Ghafoor, “X-GTRBAC: An XML-based Policy Specification Framework and Architecture for Enterprise-Wide Access Control”, ACM Transactions on Information and System Security (TISSEC), Vol. 8, No. 2.Google Scholar
  19. [19]
    A. Keromytis, S. Ioannidis, M. Greenwald, J. Smith, “The STRONGMAN Architecture”, In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C. April 22–24, 2003.Google Scholar
  20. [20]
    L. Lymberopoulos, E. Lupu, M. Sloman, “An Adaptive Policy Based Management Framework for Network Services Management”, In Special Issue on Policy Based Management of Networks and Services, Journal of Networks and Systems Management, Vol. 11, No. 3, Sep. 2003.Google Scholar
  21. [21]
    N. Damianou, N. Dulay, E. Lupu, M Sloman, “The Ponder Specification Language”, Workshop on Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol, 29–31 Jan 2001.Google Scholar
  22. [22]
    K. Taylor, J. Murty, “Implementing role based access control for federated information systems on the web”, Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, p.87–95, February 01, 2003, Adelaide, Australia.Google Scholar
  23. [23]
    M. Thompson, A. Essiari, S. Mudumbai, “Certificate-based Authorization Policy in a PKI Environment”, ACM Transactions on Information and System Security, (TISSEC), Volume 6, Issue 4 (November 2003) pp: 566–588.CrossRefGoogle Scholar
  24. [24]
    D.W. Chadwick, A. Otenko, “The PERMIS X.509 role based privilege management infrastructure”, In proceedings of the seventh ACM Symposium on Access Control Models and Technologies, Monterey, California, USA.Google Scholar
  25. [25] Scholar
  26. [26] Scholar
  27. [27]
    X. Zhang, J. Park, F. Parisi-Presicce, R. Sandhu, “A Logical Specification for Usage Control”, In proceedings of the ninth ACM Symposium on Access Control Models and Technologies, Monterey, California, USA.Google Scholar
  28. [28]
    B. Rosenblatt, B. Trippe, S. Mooney, “Digital Rights Management: Business and Technology”, New York: Hungry Minds/John Wiley and Sons, 2001.Google Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Rafae Bhatti
    • 1
  • Elisa Bertino
    • 2
  • Arif Ghafoor
    • 1
  1. 1.School of Electrical and Computer EngineeringPurdue UniversityWest Lafayette
  2. 2.Department of Computer Sciences and CERIASPurdue UniversityWest Lafayette

Personalised recommendations