Delegation of Authority

David Chadwick
d.w.chadwick@kent.ac.uk
 Motivations
• To allow people to delegate roles to other
people, so that they can perform tasks that
were previously denied to them
• To ease the management of permissions
through distribution and delegation, which aids
scalability (as opposed to centralised control)
• To facilitate inter-organisation federations, by
allowing one organisation to leverage the role
allocations in another organisation and thereby
give them access to their resources in a
controlled manner
Assigning and Delegating Privileges
in Organisations

“I authorise this Privilege Holder to use

Resource this resource in the following ways”
Owner signed The Resource Owner
Assigns
privilege
“I delegate authority to this End User
to use this resource in this limited way”
Privilege
signed The Privilege Holder
Holder End User
(Privilege
Delegates privilege Holder)
The X.509 Delegation Service
Points to
AC holder

SOA Bill Issues Points to issuer

Points to Issued On
AC to Behalf Of

Issues
AC to
Delegation
Policy
AA Alice
Delegation Policy
Issues
Issuing
AC to
Service (DIS)
End
Entity Bob
 DIS Communications

Web DIS Web Service

browser SSL or
DIS
Shibboleth
Java

Web Service
Interface
Apache
 DIS Web Service
Authenticate Map Issuer’s
Policy
AC
DIS Client identities
Authn
name Authzn
name Credential
Validation
Request
PERMIS RBAC
DIS Authorisation Delegation
Issuing
PDP
PEP Policy
IssueAC
Web service
interface
publishAC Sign
AC
LDAP
server
 Demonstration
• The DIS demo is available at
https://issrg-testbed.cs.kent.ac.uk:8443/dis.html

Acknowledgement
This work was funded under the JISC DyVOSE
project