An Attribute Graph Based Approach to Map Local Access Control Policies to Credential Based Access Control Policies

Abstract

Due to the proliferation of the Internet and web based technologies, today's collaborations among organizations are increasingly short-lived, dynamic, and therefore formed in an ad-hoc manner to serve a specific purpose. Such example environments include web-services, dynamic coalitions, grid computing and ubiquitous computing. These environments necessitate the need for dynamic, efficient and secure sharing of resources among disparate organizations. Although such secure sharing of resources can be achieved by means of traditional access control and authentication mechanisms, they are administratively difficult when the partnerships and interactions are short-lived and constantly changing. When allowing sharing of resources, the organization must ensure that its own security policies are adhered to. Our proposal is to allow users, external to the organization, access to internal resources of the organization, if they possess certain attributes similar to those possessed by the internal users. We begin by first examining the internal security policies within an organization and attempt to map them to credential based policies. In essence, we identify the attributes possessed by internal users relevant to a security policy, and map them to credential attributes that are understood across organizations. Access can then be granted to users once they submit these required credentials with the identified attributes. We present an attribute graph based methodology to accomplish such a mapping. In this paper, we assume that the local access control policies are limited to Role Based Access Control (RBAC) policies.