A framework for modelling restricted delegation of rights in the Sectet

摘要

We present a novel approach for modelling restricted delegation of rights in a distributed environment based on web services. In existing delegation models, delegated permissions are statically assigned to a role which is not the case in Service Oriented Architecture's (SOA). In SOA, permissions to execute web services are delegated to roles with a set of dynamic constraints. These constraints play a key role in the assignment of permissions to roles. This paper presents an extension to our model Constraint based Role Based Access Control (CRBAC), CRBAC1, in order to support permission-level delegation based on dynamic constraints. Our approach integrates Sectet-PL, a predicative language for modelling access rights based on the concept of Role Based Access Control (RBAC). Sectet-PL is part of the Sectet framework for model-driven security for B2B workflows. Our Rights Delegation Model combines the concept of roles from RBAC with the predicative specification of Sectet-PL. The Rights Delegation Model is translated into XACML Delegation Policies, which are interpreted by a security gateway.