GALT 031 Distributed Programmable Authorisation David Chadwick

GALT 032 X.812|ISO Access Control Framework ADF Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF AEF = (Application dependent) Access control Enforcement Function ADF = (Application independent) Access control Decision Function

GALT 033 Policy Based Authorisation Today (based on ISO ) Authorisation Decision Request Authorisation Decision Application Access control Enforcement Function Initiator ADI Access Request ADI Target ADI Contextual Information Access Control Policy Rules Retained ADI ADF ADI=Access control Decision Information Example ADFs are Akenti, PERMIS, Cardea

GALT 034 Authorisation Today for Distributed Applications Standalone ADF AEF Decision Request Decision AEF Decision Request Decision Request Decision Common policy Distributed Application Site 1 Site 3 Site 2 Allows co-ordination, but bottleneck to performance

GALT 035 Authorisation Today for Distributed Applications ADF AEF Decision Request Decision AEF Decision Request Decision Request Decision Common policy ADF Distributed Application Site 1 Site 3 Site 2 Increased performance, but lacks co-ordination

GALT 036 Authorisation Tomorrow for Distributed Applications ADF AEF Decision Request Decision AEF Decision Request Decision Request Decision Site specific policy ADF Distributed Application Site 1 Site 3 Site 2 Co-ordination Performance and co-ordination

GALT 037 How ? By hierarchically decomposing distributed application authorisation policies into lower level site specific policies Policies comprise rules for subjects, targets, actions and conditions: Who can access what in which way and under what conditions Specify rules that say how targets and actions at the distributed application level are decomposed into targets and actions at the site specific level E.g. UserA can run distributed application X on the Grid using a maximum of 3 MB of storage, might hierarchically decompose into –UserA can read File F from site1 and search DB2 at site2 providing no more than 3MB of data are retrieved in total –UserA can run the data processing application at any site with spare capacity –UserA can write output to their home site

GALT 038 Proposed Methodology and Technology Specify rules in DAML/OIL/OWL for policy decomposition and produce an authorisation ontology Build a user friendly interface for policy/rule creation, based on a configurable ontology Use JTP from Stanford University, a DAML/OIL reasoning engine that can make inferences Build a reasoning compiler using the above that will read in the ontology and the application specific rules, and will produce site specific policies in XACML Build a secure policy distribution mechanism Build a co-ordination capability between either the site specific ADFs or a central co-ordinating ADF