1. Delegation of Authority David Chadwick d.w.chadwick@kent.ac.uk

2. Motivations To allow people to delegate roles to other people, so that they can perform tasks that were previously denied to them To ease the management of permissions through distribution and delegation, which aids scalability (as opposed to centralised control) To facilitate inter-organisation federations, by allowing one organisation to leverage the role allocations in another organisation and thereby give them access to their resources in a controlled manner

3. Assigning and Delegating Privileges in Organisations Resource Owner “I authorise this Privilege Holder to use this resource in the following ways” signed The Resource Owner Privilege Holder “I delegate authority to this End User to use this resource in this limited way” signed The Privilege Holder End User (Privilege Holder) Assigns privilege Delegates privilege

4. Bill Alice Bob SOA AA End Entity Issues AC to Issues AC to Delegation Issuing Service (DIS) Issues AC to AC Points to issuer Points to holder Points to Issued On Behalf Of The X.509 Delegation Service Policy Delegation Policy

5. DIS Web Service DIS Java SSL or Shibboleth Apache Web browser Web Service Interface DIS Communications

6. LDAP server Authenticate DIS Client DIS PEP IssueAC Web service interface publishAC Map identities Authn name PERMIS RBAC Credential Validation PDP Sign AC Authzn name DIS Web Service Request Authorisation Delegation Issuing Policy Issuer’s AC

7. Demonstration The DIS demo is available at https://issrg-testbed.cs.kent.ac.uk:8443/dis.html Acknowledgement This work was funded under the JISC DyVOSE project