A Discretionary Delegation Framework for Access Control Systems

Abstract

Provision for delegation of access privileges lends access control systems flexibility and context-awareness. The topic of delegation did not exist in classical computing security, but – as IT systems got more distributed and complex – provision for delegation became a necessary access-control feature, and consequently much effort has been dedicated to extend conventional access control models with delegation capability. Many such efforts have pivoted around the well-known Role-based Access Control (RBAC) model, mainly for compatibility reasons, as RBAC had already been considered the de facto industry standard – even before the need for delegation arose in enterprise information systems. However, delegation is arguably more discretionary in nature rather than role-based; especially for healthcare informatics which is the application domain for our proposed delegation framework. In this paper, we present a discretionary framework for delegation of access rights from a delegator to a delegatee by implementing a delegation-token and various stages of its life cycle in tamper-resistant devices including smartcards. The proposed framework is designed and implemented using our eTRON cybersecurity architecture which advocates use of public key cryptographic protocols for secure entity authentication, data integrity and data confidentiality.