XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

B Xie,XL Gui,YN Li,DP Qian

DOI: https://doi.org/10.1007/978-3-540-30208-7_124

2004-01-01

Abstract:In this paper, a new Grid security framework based on dynamic access control is introduced to address some security problem in Grid. Based on the dynamic evaluating results about trusts among resources and users, users secure access levels are changed dynamically. The track of users behaviors using resources is criterion for assigning secure levels to different users and for allocating the resources to users in the next application execution. Here, the dynamic access controls are realized by mapping users secure levels to access rights. In our experiment Grid, the evaluation mechanism of users behaviors is applied to support the dynamic access control to Grid resources.

Haidong Xiao,Jianhua Li

DOI: https://doi.org/10.1109/AICT-ICIW.2006.164

2006-01-01

Abstract:Semantic Grid is an extension of the current Grid which is hot and active research domain in grid computing. This paper has largely focused on the interoperability with semantic grid security include performance, scalability, and standardization. Knowledge base security architecture and grid security meaning space provide a promising approach to make grid security technologies and solutions based on knowledge smarter, more flexible, scaleable and adaptable.

Menglong Yan,Yong Gao,Lun Wu,Pengfei Wu,Yong Zhao,Yixian Sun

DOI: https://doi.org/10.1109/geoinformatics.2009.5293537

2009-01-01

Abstract:A spatial data access control model in grid environment was proposed base on Globus Security Infrastructure (GSI). Firstly, A spatial datasets sharing framework was built up by Monitor and Discover Service (MDS), and then a common control model was proposed to realize spatial data access control. In this model, every user was mapped to a given role, and every role had a unique digital certificate to distinguish its identification, then every role had the given permission to access the resources. Moreover, a further designed model was proposed to control the role's accessibility of rectangle in given spatial datasets. Two scenarios were put forward to control spatial data access between different organizations. The first was that all of the organizations shared the same roles, and then the organization realized self-control by enduing different roles with different rights. While the second was that every organization had its own users, roles and resource controls, and then the self-control was enhanced. The model was implemented by Globus Toolkits (GT), and experiment results illustrated that the proposed model could control the spatial data access effectively in a grid environment.

Yiduo Mei,Xiaoshe Dong,Weiguo Wu,Shangyuan Guan,Jing Xu

DOI: https://doi.org/10.1109/cis.workshops.2007.198

2007-01-01

Abstract:The dynamic and multi-institutional nature of the grid environments introduces challenging security issues that demand new technical approaches. But traditional access control models consider static authorization decisions based on subjects' pre-assigned permissions on target objects and focus on a closed system, therefore, they are not suitable for the dynamic grid environments. To address the above problems, we propose UCGS, a novel usage control approach for grid services. Our approach is inspired by the Usage Control Model (UCON). UCGS improves the security of the grid services by employing a continuous usage control of the grid services, monitoring the behavior of the subjects. It enables richer and finer-grained control over authorization and usage of grid services and resources than that of traditional access control models. "Blacklist", "unilateral contract" and "arbitrator" are introduced in UCGS to guarantee that a subject can not deny its obligations after service is complete, which contributes to maintain the normal order of the grid environments and the security and interests of the service providers.

Yi Zhao,Xia Wang

DOI: https://doi.org/10.1007/978-3-642-24806-1_26

2012-01-01

Abstract:As the Semantic Web has been applied in the Web Services to integrate data across different applications with the increasing development of the Semantic Web technologies, it is essential to maintain the security of the organizations involved in the Semantic Web Services. Security is a crucial concern for commercial and mission critical applications in Web-based environments. To guarantee the security of the web services, security measures must be considered to protect against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. Access control is a kind of security measurements to guarantee the service processes, which is defined to allow resource owners to define, manage, and enforce the access conditions for each resource. In this paper, an ontological concept similarity algorithm is first proposed taking multiple concept relations into consideration. Then, an attribute based access control model based on the semantic similarity (SABAC, for short) is proposed to specify access control over attributes defined in domain ontologies. An experimental prototype and detailed empirical discussions are presented, and the method is validated in the framework of web service selection.

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.

Kewei Wei,Ming Zhang,Yaping Zhu

DOI: https://doi.org/10.1007/11590354_18

2005-01-01

Abstract:Metadata is the information that describes the most important feature of an object. In recent years, metadata plays a more and more important role in data intensive applications. In this paper, we propose a semantic metadata catalog service, Semantic MCS. Semantic MCS has a well-organized data management model and supports the query mechanism using Ontology inference. Furthermore, we discuss the main problems that we met in real Grid applications. We propose a framework of metadata interoperation to resolve the problem of the services interoperability. And we propose a dynamic framework for metadata management for the rapid changing metadata in Grid.

PEI Yanqin,YANG Shoubao,FANG Xiangming,GUO Leitao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.01.059

2007-01-01

Abstract:A new access control model based on security assertion markup language(SAML) is added to campus grid system.Workflow of access control and the authorization service are discussed.The attribute-based access control policy and the security assertion mapping solution are also adopted in this system.It integrates with the portal,which is in charge of the interface between resource consumers and resource providers.It shows more flexibility and reliability.

Zhaohui Wu,Yuxin Mao,Huajun Chen

DOI: https://doi.org/10.1109/SCC.2004.1358022

2004-01-01

Abstract:The grid technology is expected to have the ability of resolving the problem of large-scale information resources sharing in virtual organizations, which deliver a number of grid services to publish large-scale information to end-users. We propose an intelligent client to grid services, which manipulate information resources at semantic level and provides end-users with a universal and intuitive semantic view for various grid services. With a series of semantic plug-ins in semantic browser, end-users can gain richer interaction with grid services and resolve complex domain problems in a more intuitive and friendly environment.

Tao Peng,Minghua Jiang,Ming Hu

DOI: https://doi.org/10.1109/iih-msp.2008.310

2008-01-01

Abstract:In a dynamic coalition environment, organizations should be able to exercise their own local fine-grained access control policies while sharing resources with external entities. At the same time, the status of XML as a standard for storing and exchanging data in Internet and XML documents is becoming a de facto standard for storing and exchanging information. So, access control of XML documents is a key in dynamic coalition environment. In this paper, we propose an approach that exploits the semantics associated with subject and information in XML documents to facilitate automatic access control policies while resource sharing occurs among coalition members. Our approach relies on identifying the necessary attributes required by users to gain access to specific XML documents information. Specifically, it consists of extracting user attribute sets that semantically mach with the attributes of the information in XML documents. This relies on a closer examination of why a user is assigned a specific role.

Qi Gao,Huajun Chen,Zhaohui Wu,Weiming Lin

DOI: https://doi.org/10.1007/978-3-540-24680-0_118

2004-01-01

Abstract:Based on Semantic Web technology and OGSA architecture, we propose a Semantic Rule Service Model to enable intelligence on grid. In this model, we regard rules and inference engines as resources, and employ rule base services and inference services to encapsulate them to do inference on ontology knowledge. With the support of OGSA architecture, we organize the services as grid services in order to support the dynamic discovery and invocation of the rules and inference engines. The function of this model is to provide intelligent support to other grid services and software agents. In addition, we illustrate the application of this model in an application of the Traditional Chinese Medicine (TCM) system.