Trustworthiness Based Authorization on WWW
Author
Yuhui Zhong, Bharat Bhargava, and Malika Mahoui
Tech report number
CERIAS TR 2002-08
Abstract
Current approaches for authorization on Web servers are mostly based on a predefined set of users or domains. They are not suitable for Internet Web sites where the user set is unbounded and authorized users can be non-predefined. We propose an authorization approach that applies role-based access control (RBAC) to WWW. Under this approach, system administrators predefine roles, role-permission relations, and the policies that assign roles to users (user-role assignment policy). The system automatically collects trustworthy information (valid evidence) and assigns roles to Internet users according to user-role assignment policies. Trustworthiness information plays an important role in user-role assignment. The validity of evidence is assessed based on the trustworthiness information of the evidence provider. In addition, system administrators can specify the trustworthiness constraints that users have to satisfy for holding roles. In this paper, the schema of using RBAC on the Web and the procedure of user-role assignment are presented. The classification and evaluation of trustworthiness are discussed.
Institution
CERIAS and Department of Computer Science, Purdue University
Note
Published in IEEE workshop on "Reliable and Secure Application in Mobile Environment", New Orleans, Oct. 2001
Publication Date
1900-01-01