● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0 ● Scope ● Progress ● Work Done
Access Right Delegation For Secure Group Information System In a large enterprise, security policy has many elements and many points of enforcements. Elements of policy may be managed by different departments within that enterprise. In Group centric Secure Information Systems, common language for expressing security policy makes it easier to share resources among different departments or different enterprises.
In a Group-centric Secure Information System (g-SIS) multiple groups need to collaborate and share each other’s sensitive resources. These groups may use different Access Control Models. Communication between different groups is not possible in g-SIS due to heterogeneous access control environment.
To make communication possible between groups having different ACMs we have to introduce an intermediate layer which will be provided by our System. So that various groups can delegate rights independent of their individual ACM’s.
XACML v3.0 Administration and Delegation Profile Version 1.0 Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains David W Chadwick, Sassa Otenko, and Tuan Anh Nguyen (Sep. 2011) eXtensible Access Control Markup Language (XACML) Version 3.0 (January 2013) User-to-User Delegation in a Federated Identity Environment Hong Qian Karen Lu SERVICE COMPUTATION 2011 : The Third International Conferences on Advanced Service Computing
This profile distinguishes XACML 2.0 from XACML 3.0 and discusses the enhancements which have been incorporated in the newer version. Furthermore it discusses in detail the dynamic delegation module, working of context handler and the formation of reduction graph and decisions taken on the basis of those reductions. Techniques for policy validation and back tracking are also discussed.
This paper discusses a way to add dynamic delegation to an authorization infrastructure containing XACML 2.0 PDP, without changing XACML 2.0 or its policy, this paper is concerned with dynamic delegation of authority from one user to another by the use of credentials. One important feature of a credential is that it requires validation before the user can be attributed with the asserted property. Problems in adding dynamic delegation to an authorization infrastructure Solution is to place Credential Validation Service on PDP
Functional Requirements “Generate” delegation policy as per XACML format for requested Resource “Revoke” delegated rights to users/groups/roles by deleting previously stored delegation policies “Generate” reports which can show the activities of Delegators and Delegatees within system
Non Functional Requirements Performance Requirements: Response time: Our framework will be able to withstand the stress and load balancing tests to confirm the number of requests that the PEP can process at any particular time. Decision accuracy: The accuracy of PDP must be ensured by testing it in different scenarios (data sets) against number of test cases. Security Requirements: If PDP is unable to find the applicable policy then it will be reliable enough to respond appropriately to the PEP server so that it may enforce the right decision. All the policies generated through PAP will preferably implement “Deny override algorithm” to avoid any unauthorized access.
The quality assurance of the system will be assured via unit testing of individual components (PDP, PAP and PEP) and system testing of complete system. The system will be available as an open source software on official web site of KTH-Applied Information Security lab. This system will be the intellectual property of Higher Education Commission Pakistan and National University of Sciences and Technology after is it deployed on web for public use. Well known MySQL or Oracle databases can be used for policy storage.
Literature review and initial report submission Analysis and selection of development platform (Java EE vs. Spring) Analysis and selection of database (My SQL or Oracle) Complete Documentation Software Requirement Specification Software Design Specification Comprehensive Final Year Product booklet
Development Responsive Interface Designing Phase Basic infrastructure development phase OR mapping phase Intra Group Access rights delegation module development Revocation of Access rights module development Report generation module development Inter Group Access rights delegation module development (same ACM) Inter Group Access rights delegation module development (Different ACM)
Comprehensive Testing Designing and Development of Test case scenarios Unit testing of individual components (PEP, PDP, PAP) Unit testing of ‘Delegation’, ‘Revocation’ and ‘Report Generation’ module Complete System testing
An innovative and efficient system which will be user friendly with desktop integration. It will use dynamic delegation to ensure inter/intra group Access Right Delegation. Our system will generate policy and store an XML file on a central PR and corresponding entries in database will be updated.
A well documented system, making future developments easier A system which will provide ease of access rights delegation for users