A credential-based approach for facilitating automatic resource sharing among ad-hoc dynamic coalitions

Abstract

Today, there is an increasing need for dynamic, efficient and secure sharing of resources among organizations. In a dynamic coalition environment, participants (including users and systems) of an organization may need to gain access quickly to resources of other organizations in an unplanned manner to accomplish the task at hand. Typically, when entities agree to share their information resources, the access control policies are agreed upon at the coalition level. These coalition level agreements are not at the level of fine-grained policies, in the sense that they do not specify which specific users can access which data object. In this paper, we propose a dynamic coalition-based access control (DCBAC) model that allows automatic access to resources of one coalition entity by users from another coalition entity. To make the model applicable to true ad-hoc dynamic coalitions, we employ a coalition service registry, where coalition entities publicize their coalition level access policies. Any coalition entity wishing to access a specific resource of another coalition entity can obtain a ticket by submitting its entity credentials which are subsequently evaluated by the coalition service registry. DCBAC employs a policy mapper layer that computes the exact credentials required by remote users that are comparable to those required by local users. We demonstrate how the coalition and resource level access policies can be specified in XML-based languages and evaluated. © IFIP International Federation for Information Processing 2005.