Delegation of Authority

David Chadwick d.w.chadwick@kent.ac.uk

Motivations
To allow people to delegate roles to other people, so that they can perform tasks that were previously denied to them To ease the management of permissions through distribution and delegation, which aids scalability (as opposed to centralised control) To facilitate inter-organisation federations, by allowing one organisation to leverage the role allocations in another organisation and thereby give them access to their resources in a controlled manner

Assigning and Delegating Privileges in Organisations

Resource Owner I authorise this Privilege Holder to use this resource in the following ways signed The Resource Owner I delegate authority to this End User to use this resource in this limited way signed The Privilege Holder End User (Privilege Holder) Delegates privilege

Assigns privilege
Privilege Holder

The X.509 Delegation Service

AC Points to holder
Points to issuer Points to Issued On Behalf Of

SOA

Bill Issues
AC to Issues AC to

AA

Alice
Issues AC to

Delegation Policy

Delegation Policy Issuing Service (DIS)

End Entity

Bob

DIS Communications

Web browser SSL or Shibboleth

DIS Web Service

DIS Java
Web Service Interface

Apache

DIS Web Service

Authenticate DIS Client Authn name

Map identities Authzn name

Request Credential Validation PERMIS RBAC

Policy Issuers AC

DIS PEP
Web service interface

Authorisation

PDP IssueAC
publishAC

Delegation Issuing Policy

Sign AC

LDAP server

Demonstration
The DIS demo is available at https://issrg-testbed.cs.kent.ac.uk:8443/dis.html

Acknowledgement This work was funded under the JISC DyVOSE project