Role-based delegation: Models and mechanisms

Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This dissertation describes an access control framework to support role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multi-step delegation. Different approaches for delegation and revocation are also explored. In addition, a rule-based language for specifying and enforcing policies on RDM2000 is proposed. We describe proof-of-concept prototype implementations of RDM2000 to demonstrate the feasibility of the proposed framework. The future research directions are also discussed.