A Framework for Role-Based Access Control in Group Communica(5)

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines ro

3.appointanotherusertoarole.4.removeanotheruserfromarole.

Weallowaclienttodroparoleatitswill;however,theotherthreeoperationsaresubjectedtoaccesscon-trol.

Theaccesscontrolpolicyofthegroupde nestheoperationseachroleisallowedtocarryout.Inotherwords,agroupaccesscontrolpolicymapseachroletoasetofoperations.Atanytime,auserinagroupplaysasetofroles.Whenauserisabouttoperformanaction,therolesthattheuserisplayingareusedtodeterminewhethertheactionshouldbeauthorizedornot.Therolesandpermissionsthattheapplicationde nesaremappedtosystemrolesandoperationsaGCSisawareofandcanenforce.

3.4

AModelforAccessControlPoliciesinGCS

Clientsmustbeauthenticatedbeforeanaccesscon-trolpolicyisenforced.Severalauthenticationmech-anismsarecommonlyused.AGCSmayprovideausername/passwordbasedauthenticationmechanismormayuseanexternalauthenticationsystemsuchasKerberos[14,18].TheclientmayconnectwiththeserverthroughTLS/SSL[1]withclientauthenti-cation,inwhichcasetheclient’spublickeyandX.509[22]DistinguishedNameareavailable.Anothersolu-tionishavingtheclienttousecerti catesthatdocu-mentattributesoftheclients,e.g.,certi catesintrustmanagementsystemssuchasRT.

Thesetofoperationsaclientisallowedtocarryoutmaydependonmorethanjusttherolesoftheclient;environmentalfactorsmayalsohaveane ect.Forexample,astudentmaybeallowedtoattendalectureifhe/sheisregisteredfortheclassandifthestudentjoinsthe“classgroup”inaparticulartimeframe,afterthelecturestarted,he/shecannotjointhegroup.Toaccommodatethediversi edauthenticationmethodsandthee ectofenvironmentalfactorsinac-cesscontrol,weintroducethenotionofcontexts.TheGCSmaintainsaclientcontextforeachconnectedclientandagroupcontextforeachgroup.Agroupcontextconsistsofasetofname/valuepairs,inwayssimilartoUnixenvironmentalvariables.Agroupcon-textprovidesenvironmentalinformationsuchascur-renttimeandgroupstateinformation(e.g.,lecturehasbeganinaclassroom).Theclientcontextissimi-lartoagroupcontext;itstoresinformationspeci ctoaclient,suchastheIPaddressfromwhichtheclientisconnectingandtheresultofauthentication(e.g.,authenticatedattributesoftheclient).

Thecombinationofrolesandcontextcanaccom-modateawiderangeofapplicationswithverydiversepolicyrequirements.Adescriptionofourmodelofgroupaccesscontrolpolicies,aswellasanexamplepolicyarepresentedin[19].

3.5

EnforcingAccessControlinGroupCommunicationSystems

WhenenforcingaccesscontrolinGCSitisveryimportantwhoismakingtheaccesscontroldecisionandwhoisenforcingit.Rememberthatweconsideraclient-serverarchitecture,whereservicetoclients(organizedingroups)isprovidedbyasetofservers.Manygroupscanexistinthesystem.

Onesolutionistohaveaccesscontrolenforcedbygroupmembers(clients).Althoughthisapproachseemsappealingbecauseinfactaccesscontrolpoli-ciesaregroupspeci c,itdecreasesthescalabilityofthesystemsinceeachgroupmustperformitsownen-forcementmechanism.Additionally,whenaccesscon-trolisperformedbyclients,accessrestrictionssuchasdroppingmessagesandrequestsatthereceiveraremoredi culttoprovide.

Asclientsarealreadytrustingtheserversformain-taininggroupmembershipanddeliveringandorderingcorrectinformation,thesecuritymodelisnotweak-enedbyrequiringtheserverstoalsoperformtheac-cesscontrolenforcement,thepotentialbene tbeingincreasedscalabilityandmore exibilityoftheoper-ationsthatcanbeenforced.Basedongroup’spolicy,serversmust rstreachadecision,ifaccessisgrantedornot,andthenenforcethatdecision.Wedistinguishbetweentwogeneralapproaches:

localdecision:onlyoneserverisrequiredtomakeadecision.Forexample,whenaclientrequestsaccesstoagroupduringajoinoperation,theservertheclientisconnectedtocanmaketheac-cesscontroldecisionlocallybasedontheclient’srole,groupnameandgrouppolicyandenforceitimmediately.

distributed(collaborative)decision:thepolicyre-quiresseveralserverstocollaborateinordertoreachadecision,byusingforexampleavotingmechanism,suchasagivenpercentageofgroupmembersofacertainrolehavetoapprove.Thisapproachrequiresacompleteviewofallthemem-bersofallrolesofagroup,informationavailabletotheservers.Onefundamentalquestionishowdoestheapplica-tionspeci caccesscontrolpolicytranslatesintoapol-icythattheGCSunderstands.Thistranslationcanbe