A graph theoretic approach to authorization delegation and conflict resolution in decentralised systems

摘要

The problem of resolving conflicts in delegated authorizations has not been systematically addressed by researchers. In (Ruan and Varadharajan in Proceedings of the 7th Australasian Conference on Information Security and Privacy, pp. 271-285, 2002) we proposed a graph based framework that supports authorization delegation and conflict resolution. In this paper, we have extended the model to allow grantors of delegations to express degrees of certainties about their delegations and grants of authorizations. This expression of certainty gives the subjects (e.g. users) more flexibility to control their delegations of access rights. We propose a new conflict resolution policy based on weighted lengths of authorization paths. This policy provides a greater degree of flexibility in that it enables to specify and analyse the effect of predecessor-successor relationship as well as the weights of authorizations on the conflicts. We present a detailed algorithm to evaluate authorization delegations and conflict resolutions. The correctness proof and time complexity of the algorithm are also provided. Since in a dynamic environment, the authorization state is not static, we have considered how authorization state changes occur and have developed an algorithm to analyse authorization state transformations and given correctness proofs. Finally, we discuss how to achieve a global decision policy from local authorization policies in a distributed environment. Three integration models based on the degrees of node autonomy are proposed, and different strategies of integrating the local policies into the global policies in each model are systematically discussed.