Towards Autonomous Administrations of Decentralized Authorization for Inter-domain Collaborations

Abstract

Inter-domain collaborations are composed of a series of tasks, whose run-time environment stretches over heterogeneous systems governed by different sets of policies. Though the collaborators are willing to share resources and knowledge to reach a set of common goals, they often desire to preserve control over their resources and prevent internal information from unnecessary disclosure. Thus, one of the major challenges in modeling a security policy for the inter-domain collaborations is allowing autonomous administration of internal resources and principals. In this paper, we present a conceptional framework called interactive RBAC (iRBAC), which builds a RBAC system for such inter-domain collaborations with an additional intermediate layer called interactive Roles (iRoles). Providing transparent linkage between actors in collaborations and domain specific local principals, this extra indirection not only enables autonomous policy administrations on user-role and role-permission assignments, but it also assists local principals in collaborators’ domains to be mapped in alignment to functional roles derived from collaborative process definitions. Challenges in building a RBAC system above domain boundaries such as preserving consistency properties and avoiding “role explosion” during user-role assignment are also discussed.