ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations

Abstract

Research interests about access control mechanisms for distributed resources have recently increased. In this scenario, users from different institutions access distributed resources, maintained by different organizations, in order to participate in a common research project, network, or testbed. Several challenges arise from these virtual organizations in order to give different types of access privileges to distinct types of resources, depending on the user profile and considering local and global access policies from partners. This work presents a generic and extensible authentication and authorization framework, named ACROSS, based on policies and attributes for virtual organizations. Our proposal creates a granular and scalable access control, which supports different authentication technologies and is independent of the kind of resource federation. In addition, ACROSS introduces a new concept of attribute generalization for access control, providing a transparent management based on access level computed from user attribute values and weights. Other works with similar goals have limitations restricting their integration with any kind of identity and resource federations. Also, these works present restrictions concerning environment and resource types. Hence, they are specific for usage in grid computing, testbed experimentation, or other distributed-resource environment. Differently from other proposals, ACROSS is a framework for supporting the development of new virtual organizations using any kind of resource sharing. ACROSS provides all A&A functionalities so that creating the virtual organization is no longer a challenge for new applications. We validate ACROSS using it on two scenarios: a real testbed and a testing environment composed of resources simulating a distributed open lab. The results show the feasibility to apply the proposal to different scenarios.