An authorizationmodel for federated systems

摘要

We present an authorization model for federated systems based on a tightly coupled architecture. The model supports authorizations to build and maintain the federation as well as authorizations to access the federated data. At each component site owners declear the objects they wish to export and the access modes executable on them by users of the federation. Inclusion of objects into the federation requires their subsequent import by the federation administrator. Different degrees of authorization autonomy are supported, whereby users can retain or delegate the federation administrator the task of specifying authorizations. A site can require to authenticate the user at each access or accept his identity as comunicated by the federation. An access control algorithm describing controls to be enforced at the federation and at each local site under the different authentication and administrative options is presented.