This paper presents a model for delegation based on partial orders, proposing the subclass relation in OWL as a way to represent the partial orders. Delegation and authorization decisions are made based on the context. In order to interact with the context, we define the Type of a credential as a way to introduce extra information regarding context constraints. When reasoning about delegation a...

Information systems of large enterprises experience a shift from an application-centric architecture towards a focus on process orientation and web services. The information system is opened to business partners to allow for self-management and seamless cross-enterprise process integration. Aiming at higher flexibility and lower costs, this strategy also produces great new challenges the securi...

Providing adequate access control is crucial for the proper execution of any Web Service (WS) orchestration. Typically, access rules and authorization constraints are defined for a WS orchestration and are resolved over an organizational model at runtime in order to find authorized users to perform orchestration tasks. As known from many practical studies, organizational models are frequently s...

Message processing can become unsecured resulting in unreliable business collaboration in terms of authorization policy conflicts, for example, when (1) incorrect role assignment or modification occurs in a partner’s services or (2) messages transferred from one organization are processed by unqualified roles in other collaborating business participants. Therefore, verification mechanism based ...

Access control is one of the most important technologies to guarantee computer security. A new model with support for valid time and usage constraint is described based on full analysis of flaws in existing models. In the new model, authorization rules can express access control policies completely and access constraints are necessary conditions to prevent authorization abuse. To solve the prob...

Role based access control has been widely used in security critical systems. Conventional role based access control is a passive model, which makes authorization decisions on requests, and the authorization decisions contain only information about whether the corresponding requests are authorised or not. One of the potential improvements for role based access control is the augmentation of obli...

We are interested in the design and evaluation of access control policies for virtual communities, in which an agent can be both a resource consumer as well as a resource provider, and authorization to access resources can be delegated to agents called authorities. We introduce a multiagent model that distinguishes the three roles of consumption, provision and authorization, and to evaluate the...

The era of massive surveys like LSST are driving the increasing necessity for astronomical research that is network-based and features remote data access and remote data analysis. With the development of the Virtual Observatory (VO) come the tools to make remote science easier. The VO community is large—thousands of potential users, and traditional authorization models based on individuals will...

Since the number of TeraGrid Science Gateways is expected to grow at least an order of magnitude in the next few years, a lightweight gateway deployment model is sought, one that facilitates growth but meets the security requirements of the TeraGrid. To this end, we present a new authorization model for science gateways based on the community account model. This authorization model significantl...