• Home
• Products
• Partners
• Services
• Resources

  Product sheets

  News in XACML 3.0

• News & Events
• Company
• Contact

Delegation

The concept of delegation is a novel approach in XACML 3.0. The delegation mechanism is used to support decentralized administration of access policies. It allows an authority (delegator) to delegate all or part of its authority to another user (delegate) without any need to involve the central IT-administration. The delegated authorization can then be delegated further by the user, in full or constrained to a subset of the original authorization.

In this delegation model, the delegation rights are separated from the access rights. These are instead referred to as administrative control policies [1]. These policies can be targeted in the same way as access control policies. Access control and administrative policies work together as in the following scenario:

A partnership of companies' many services are protected by an access control system. The system implements the following central rules to protect its resources and to allow delegations:
 
Access control rules:
 
1. Allow access to resource with attribute WebService if subject is Employee and action is read or write.
 
Administration control rules:
 
1. Allow delegation of access control rule #1 to subjects with attribute Consultant. Constrains: delegation must expire within 6 months, resource must not have attribute StrictlyInternal.
 
Attributes can be fetched from an external source, e.g. a LDAP catalog.
 

When a consultant enters the corporation, a delegation can be issued locally by the consultant's supervisor, granting the consultant access to systems directly.

The delegator (supervisor in this scenario) may only have the right to delegate a limited set of access rights to consultants.

Using delegations you can:

• Reduce administration costs because policy updates can be done directly and locally by those who make the decisions.
• Increase the level of security by expressing constrains on how the administration authorities can be exercised and delegated.

[1] XACML v3.0 Administrative Policy Version 1.0,
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

The following image illustrates the problems that can arise without the use of delegations:

 

Go back

Axiomatics AB, Electrum 223, 164 40 Kista, Sweden, +46(0)70 229 07 01,