Title :
Delegation Assistance
Author :
Brucker, Achim D. ; Petritsch, Helmut ; Schaad, Andreas
Author_Institution :
SAP Res., Karlsruhe, Germany
Abstract :
Today´s IT systems typically comprise a fine-grained access control mechanism based on complex policies. The strict enforcement of these policies, at runtime, always contains the risk of hindering people in their regular work. An efficient support for assisted delegation can help in resolving the conflict between too tight access control and the required flexibility as well as support the resolution of conflicts. Here, assisted delegation means that, additional to denying the access, a user is informed about a list of users that could either grant him access to the requested resource or which could execute this task in behalf of the user. In this paper, we present an approach for determining a set of users which are able to resolve an access control conflict. This set is based on various information sources and are ordered with respect to different distance functions. We show that one distance function can be used to serve different types of contextual input, e.g., role hierarchies, geospatial information as well as shared business object structure data or social network graphs.
Keywords :
authorisation; IT system; business object structure data; delegation assistance; distance function; fine-grained access control mechanism; geospatial information; information sources; role hierarchies; security services; social network graph; Access control; Data security; Information security; Permission; Prototypes; Runtime; Social network services; System recovery; Usability; Writing; delegation and revocation; policy enforcement; security architecture; security services;
Conference_Titel :
Policies for Distributed Systems and Networks, 2009. POLICY 2009. IEEE International Symposium on
Conference_Location :
London
Print_ISBN :
978-0-7695-3742-9
Electronic_ISBN :
978-0-7695-3742-9
DOI :
10.1109/POLICY.2009.35
