Policy-Based Authorization

William R. Cook, Ph.D.
Allegis Corporation

February 14, 2003
11 a.m. - 12 noon
Fuller Labs 320

Abstract

With the advent of the Internet, more and more users are gaining access to large-scale systems containing sensitive information, including business plans, medical records, financial data, and project details. The users of these systems are participating in complex processes that frequently involve a mixture of collaboration, competition, selective sharing of information, and complex separation of duties. Existing authorization models do not allow application developers or security managers to effectively define and manage access to these kinds of complex and dynamic systems.

This talk presents a policy-based authorization model that supports fine- grained access control while limiting the overhead required in managing security. The system is based on a small domain-specific language for specifying authorization policies that enables concise and understandable descriptions of authorization behavior. The system has been implemented as a policy-enforcing reference monitor that controls access to an underlying relational database. The policies are combined using a high-level compositional query model and then compiled into SQL for efficient execution. The authorization system also has well-defined interfaces with workflow and user interface models, so that authorization policies can be configured independently of other system functions.

Host

Prof. Micha Hofri

Refreshments will be served in FL 320 beginning at 10:50 a.m.

Maintained by webmaster@wpi.edu
Last modified: Sep 27, 2006, 16:05 EDT