| Abstract: | The problem of resolving conflicts in delegated authorizations has not been systematically addressed by researchers. In (Ruan
and Varadharajan in Proceedings of the 7th Australasian Conference on Information Security and Privacy, pp. 271–285, 2002) we proposed a graph based framework that supports authorization delegation and conflict resolution. In this paper, we have
extended the model to allow grantors of delegations to express degrees of certainties about their delegations and grants of
authorizations. This expression of certainty gives the subjects (e.g. users) more flexibility to control their delegations
of access rights. We propose a new conflict resolution policy based on weighted lengths of authorization paths. This policy
provides a greater degree of flexibility in that it enables to specify and analyse the effect of predecessor-successor relationship
as well as the weights of authorizations on the conflicts. We present a detailed algorithm to evaluate authorization delegations
and conflict resolutions. The correctness proof and time complexity of the algorithm are also provided. Since in a dynamic
environment, the authorization state is not static, we have considered how authorization state changes occur and have developed
an algorithm to analyse authorization state transformations and given correctness proofs. Finally, we discuss how to achieve
a global decision policy from local authorization policies in a distributed environment. Three integration models based on
the degrees of node autonomy are proposed, and different strategies of integrating the local policies into the global policies
in each model are systematically discussed. |
