A mechanism to make authorization decisions in open distributed environments without complete policy information

Abstract

To enable an open Grid environment to support organized resource sharing between multiple heterogeneous Virtual Organizations (VOs), we need to tackle the challenges of dynamic membership of VOs and trust relationships between the VOs. We propose a Dynamic Policy Management Framework (DPMF), a Conflict Analysis with Partial Information (CAPI) mechanism, and a heterogeneous authorization policy management mechanism to resolve the problems. DPMF groups VOs deploying the same model of authorization systems together to form a virtual cluster. Policy management is divided into inter-cluster heterogeneous policy management, and intra-cluster homogeneous policy management. In an open Grid environment, some VOs may prefer to keep their policy information private. The Conflict Analysis with Partial Information (CAPI) mechanism is developed to provide an approach of policy conflict analysis in open environments without complete policy information. The basis of CAPI is to generate substitution policies to replace the unknown policy information. © Springer-Verlag Berlin Heidelberg 2006.