Identity Delegation in Policy Based Systems

Abstract

Policy based systems have received considerable attention in the recent past from academia as well as the industry. Research on policy based systems encompasses a gamut of areas such as: models and languages for policy based systems, policy standards, domain specific implementations, policy tools etc. However an important issue, which did not receive much attention from researchers, is that of access control for policy execution. In this paper we present the concept of "identity delegation" which involves finding the 'correct' users/ identities, to whom task of policy execution can be delegated. Policies are generally defined by high level business executives (policy authors) and are implemented by policy enforcers who have sufficient access rights on the underlying systems. Given the increasing complexity of enterprise systems, we show in this paper that finding the right policy enforcers for a policy can be a fairly non-trivial task. We address this important problem by proposing a unique concept of 'implicit identity delegation', whereby an autonomic system automatically figures out the correct policy enforcers and implicitly delegates the task of policy execution. We present the Implicit Identity Delegation architecture which boasts of an efficient technique for performing implicit identity delegation and uses a plugin based architecture ensuring its applicability and use in diverse domains.