A Framework for Role-Based Access Control in Group Communica(3)

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines ro

3

APolicyModelforAccessControlinGroupCommunicationSystems

Inthissection,westudytherequirementsforspec-ifyingaccesscontrolpoliciesinGCSandproposeapolicymodelfordoingso.Ourgoalistodesignapol-icymodelthatis exibleenoughsuchthatitsupportsadiversi edsetofapplicationpolicies,Inaddition,thepolicymodelcanbee cientlyimplementedbytheGCS.Thebasicapproachweuseisasfollows.Foranygroupthereisasetofbasicoperationsthatcanbeper-formedbyprincipals(entities)basedontheirrole,inagivencontext.Themappingbetweengroupoperationsandroles,inagivencontext,de nestheaccesscon-trolpolicyforthatgroup.Thisway,insteadofhavingeveryindividualapplicationtoimplementandenforceitsownaccesscontrolmechanisms,wehaveapplica-tionsde ningspeci cpoliciesthataretranslatedtothesetofbasicoperationsthattheGCSisawareofandcanenforceaccesscontrolon.

Therestofthissectionisorganizedasfollows.Webeginbydescribinganexamplescenarioanddis-cussingthevariouspossibleaccesscontrolpoliciesinSection3.1.InSection3.2,wedescribethegroupop-erationsthataresubjectedtoaccesscontrol.Wean-alyzetheuseofrolesingrouppoliciesinSection3.3.WepresentthepolicymodelinSection3.4.InSec-tion3.5wedescribehowapolicyspeci edinthemodelisenforced.Wediscussthechallengesinmaintainingthepolicy,whiledealingwithdynamicmembership,failuresandnetworkpartitionsinSection4.

3.1AnExampleScenario

Consideravirtual-classroomapplicationimple-mentedusingaGCS.Multiplecoursesexistintheapplication.Eachcoursehasmultiplesessions,eachofwhichisrepresentedbyavirtualclassroom,im-plementedasagroup.Foreachcourse,therearein-structors(somecoursesmayhavemorethanonein-structors),TA’s,andstudents.Aclassroomshouldbecreatedonlybyanauthorizeduser;thusapolicycon-trollingthecreationofgroupsmustexistbeforethecreationofagroup.Wecallsuchapolicy,atemplatepolicy.Eachcoursehasatemplatepolicy.Sincetem-platepoliciesexistoutsidethecontextofanygroupandcanbeviewedasresourcesnotspeci ctoGCS,standardaccesscontroltechniquesareusedtocontrolthecreationandmodi cationoftemplatepolicies.Inthesimplestcase,onlytheGCSadministratorisal-lowedtocreateormodifytemplatepolicies.

Atemplatepolicydetermines,amongotherthings,whocancreateagroupbasedonthepolicy.Onepos-

siblegroupcreationruleisthatonlytheinstructorsofacourseareallowedtocreateaclassroomforthecourse.AnalternativeruleisthataTAmayalsocreateaclassroom.Onemayalsoallowthecourseinstructortodelegatetoanotheruser,e.g.,aguestlecturer,theauthoritytocreateaclassroom.

Aftertheclassroom/groupiscreated,agrouppolicyneedstobecreated.Agrouppolicycanbecreatedbycopyingthetemplatepolicy.Thisgrouppolicymaythenbetailoredtosuittheneedofthecurrentclass-roomsession.Onlyauthorizedusersshouldbeallowedtochangethegrouppolicy.

Varioususersmayjointheclassroomindi erentroles,e.g.,instructor,TA,student.Onlyauthorizedusersshouldbeallowedtojointheseroles.Forjoiningasastudent,di erentrulesaredesirablefordi erentcases.Examplesincludes:onlystudentswhoareen-rolledintheclassmayjoin,theinstructorortheTA’scanadmitadditionalstudentsinspecialcases,oronlystudentswhoareconnectingfromcertainIPaddressesmayjoin(e.g.,whentakinganexam).

Severalkindsofcommunicationmaybegoingonsimultaneouslyintheclassroom,andtheyshouldbesubjectedtodi erentaccesscontrolrules.Forexam-ple,communicationcanbepublic:lecturesdeliveredbytheinstructor,publicquestionsaskedbyastudentandtheanswerstothosequestionsbytheinstructororanothermemberoftheclassroom.Someclassroomsmayallowanystudenttofreelyaskquestions,muni-cationcanalsobeprivate,forexamplestudentsmaybeallowedtoaskquestionsprivatelytotheTA’s,orsubmittheiranswerstoaquizgiveninclass.Thein-structormaybealsoallowedtoejectastudentfromtheclassroom.

Wenotethatmostoftheaboveservicesarepro-videdbyaGCS,withoutanyaccesscontrolenforce-ment.Forexample,theSpread[8]groupcommuni-cationsystemallowsformulticast(public)anduni-cast(private)communicationwithinagroup,italsoallowsforanymembertobebothasenderandare-ceiverandcandistinguishbetweendi erenttypeofmessages,whileprovidingdi erentreliabilityandor-deringcommunicationservices.Inaddition,con den-tialityandintegrityofthedataisprovided.

3.2OperationsinGroups

Fromtheabovescenariodescription,wecanextractthesensitiveoperationsthatneedaccesscontrol.Thefollowingoperationsarenotperformedwithinthecon-textofagroup,theyprecedethegroupcreationand