1.Introduction

The conventional concept of an Access Control List (ACL) has been the architectural foundation of many authorization mechanisms for some time. A typical ACL is associated with an object to be protected and enumerates the list of authorized users and their rights to access an object. Access rights are selected from a predefined fixed set built into the authorization mechanism. Specification of the subjects is bound to the particular security mechanism employed by the system. The limitations of the traditional access control model become apparent when it is applied in a heterogeneous, administratively decentralized, distributed system environment. The variety of services available on the Internet continues to increase and new classes of applications such as metacomputing, remote printing, and video conferencing are evolving. These applications will require interactions between entities across autonomous security domains. The generic traditional access rights may not be sufficient for some applications to express their authorization requirements. For example, a site might be willing to make its resources available to others limited to a maximum amount of CPU time and memory or based on a requirement of payment for the resources consumed. It is difficult to specify such security policies in terms of conventional ACLs. Specification of security policies for principals from multiple administrative domains poses additional problems:

• In a multipolicy environment, policy integration should incorporate the diverse authorization models that can coexist in a distributed system.
• The implementation will require integration of different sets of policies associated with the domain providing resources, the domain requesting resources and the individual users within each domain.
• There are multiple mechanisms for authentication of users in different domains. Therefore, there may be no single syntax for specification of principals.
• Administrators of each domain might use domain-specific policy syntax and heterogeneous implementations of the policies. Generalizing the way that applications define their security requirements provides the means for integration and translation of security policies across multiple authorization models.

This paper describes an authorization framework designed to meet these needs. Our framework is applicable for a wide range of systems and applications. It includes a flexible mechanism for security policy representation and provides the integration of local and distributed security policies. The system supports the common authorization requirements and provides the means for defining and integrating application or organization specific policies as well. We show how this mechanism can implement role-based access control, Clark-Wilson model, and lattice-based policies.

Our framework consists of two components, a policy language and the Generic Authorization and Access-control API.

• Policy language

  The language allows us to represent existing access control models (e.g. ACL, capability, lattice-based access controls) in a uniform and consistent manner. Authorization restrictions allow the administrator to define which operations are allowed, and under what conditions (e.g., user identity, group membership, or time of day). These restrictions may implement application-specific policies.

• Generic Authorization and Access-control API (GAA API)

  A common access control API facilitates the application integration of authentication and authorization. This API allows applications to request the authorization policy information for a particular resource and to evaluate this policy against credentials carried in the security context for the current connections. Applications invoke the GAA API functions to determine if a requested operation or set of operations was authorized or if additional checks are necessary.