Nagaratnam and Byrne [16] present a model for Internet user agents (browsers, tuners, etc.) to control access to client resources. This model protects client machines from hostile downloadable content and allows the client to selectively grant access to trusted agents. The authenticity of the code is based on digital signatures of principals certifying it. All access control requests are mediated by calling a security manager component and decisions are based on the user's access control specifications stored in the policy database.
The model is restricted to using the Javakey utility as an authentication mechanism based on public key digital signatures, while our model is general enough to use a variety of security mechanisms based on public or secret key cryptosystems.
Another disadvantage of that model is the duplication of common information. Each user has to maintain a database of any principals specified in the policy database and their public keys, as well as specification of groups. These databases should be properly protected. In contrast, PRM uses Kerberos to achieve strong authentication. The authentication database is maintained centrally by the KDC and stored on a physically secure machine. Our model also supports a group certification mechanism. A group server maintains and provides group membership information, and issues group membership and non-membership certificates. The certificates are placed into the GAA API security context and checked by the GAA API when making authorization decisions. There is no need for each user to maintain authentication and group specification databases locally.
Finally, this model can be applied only to browser-like (user agent) applications, while our model can deal with any kind of application.
The Generalized Access Control List framework described by Woo and Lam [5] presents a language-based approach for specifying authorization policies. The GACL model supports only system state-related restrictions within which rights are granted, such as: current system load, maximum number of copies of a program to be run concurrently. This may not be sufficient for distributed applications Our model allows fine-grained control over the restrictions.
Both restricted proxies [2] and the use-condition model [15] allow conditions and privilege attributes to be embedded in authorization credentials or certificates. These mechanisms can be readily integrated with the authorization model presented here: the restrictions or conditions caried in the proxy or certificate are evaluated by the GAA API in addition to the restrictions in the matching EACL entry.
The CRISIS architecture [7] is security system based on public key cryptography. Types of access in CRISIS ACLs are related to the type of protected object. CRISIS ACLs do not support specification of constraints placed on resources that principals are allowed to consume. Access requests to an object are mediated by contacting the object's reference monitor. Reference monitors are service-specific and implemented as separate modules. The emphasis of our work is on providing a general framework for representing security policies and facilitating authorization decisions for metacomputing applications. Our model provides a uniform authorization mechanism that is capable of supporting different operations and different kinds of protected objects.
The Tivoli Management Environment (TME 10)[14] commercially available security system that uses a role-based approach to security. TME roles are named capabilities, containing a list of objects and access permissions to those objects. Objects can have default access and can be associated with more than one role. Each role will have a different level of access to the object. Roles are defined to support a particular job function within an organization, e.g. customer support or management. Groups are assigned roles, thus giving members of those groups access capabilities to the objects assigned to those roles. The TME approach can be mapped to our framework.
TME lacks flexibility in supporting user-defined security policies. It has a fixed pre-defined set of object types and generic access permissions that are available on each object type.
In addition, the TME model requires creation of a new role to include each possible combination of objects and access rights. This becomes very cumbersome for systems where a large number of operations exist on various objects.