干旱区生态环境知识资源中心

OASIS is a role-based access control (RRAC) architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralized, roles are parametrized, roles are activated within sessions and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment..

Services define roles and establish formally specified policy for role activation and service use (authorization); users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false.

OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long-lived credentials such as academic and professional qualification or membership of an organization.

The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. The role activation and authorization policies of services within an administrative domain need not embody role hierarchies nor enforce privilege delegation. But OASIS is sufficiently flexible to capture such notions, through prerequisite roles and appointments, if they are required within an application domain. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains and we propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each other’s credentials. In a multi-domain system access control policy may come from multiple sources and must be expressed, enforced and managed. In order to respond to changing relationships between organizations it should be easy to allow role holders in one domain to obtain privileges in another. Our approach to policy and meta-policy management is described.

We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust Copyright (C) 2003 John Wiley Sons, Ltd.