87:(RBAC) delegation, then there is always a risk of under-delegation, i.e., the delegator does not delegate all the necessary permissions to perform a delegated job. This may cause the denial of service, which is very undesirable in some environments, such as in safety critical systems or in health care. In RBAC-based delegation, one option to achieve delegation is by reassigning a set of permissions to the role of a delegatee; however, finding the relevant permissions for a particular job is not an easy task for large and complex systems. Moreover, by assigning these permissions to a delegatee role, all other users who are associated with that particular role get the delegated rights.
90:
If the delegation is achieved by assigning the roles of a delegator to a delegatee then it would not only be a case of over-delegation but also the problem that the delegator has to figure out what roles, in the complex hierarchy of RBAC, are necessary to perform a particular job. These types of
51:
It is defined as follows: If an authentication mechanism provides an effective identity different from the validated identity of the user then it is called identity delegation at the authentication level, provided the owner of the effective identity has previously authorized the owner of the
71:
command, a person first has to start his session with his own original identity. It requires the delegated account password or explicit authorizations granted by the system administrator. The user login delegation described in the patent of
Mercredi and Frey is also an identity delegation.
22:
is the process of a computer user handing over its authentication credentials to another user. In role-based access control models, delegation of authority involves delegating roles that a user can assume or the set of permissions that the user can acquire, to other users.
114:
Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of 16th Annual
Computer Security Application Conference, New Orleans, U.S.A. (December 2000)
132:
A mechanism for identity delegation at authentication level, N Ahmed, CD Jensen - Proceedings of the 14th Nordic
Conference …, 2009 - portal.acm.org, 2009
123:
A mechanism for identity delegation at authentication level, N Ahmed, CD Jensen - Proceedings of the 14th Nordic
Conference …, 2009 - portal.acm.org, 2009
80:
The most common way of ensuring computer security is access control mechanisms provided by operating systems such as UNIX, Linux, Windows, Mac OS, etc.
166:
141:
Mercredi, Frey: User login delegation. United States Patent
Application Publication, US 2004/0015702 A1 2004
91:
problems are not present in identity delegation mechanisms and normally the user interface is simpler.
95:
84:
8:
83:
If the delegation is for very specific rights, also known as fine-grained, such as with
40:
32:
160:
36:
150:
Gollmann, D.: Computer
Security 2e. John Wiley and Sons, Chichester (2005)
63:
75:
31:
There are essentially two classes of delegation: delegation at
46:
57:
55:
The existing techniques of identity delegation using
26:
158:
76:Delegation at Authorization/Access Control level
67:commands of UNIX are very popular. To use the
16:Authorization mechanism in computer security
47:Delegation at Authentication/Identity level
52:validated identity to use his identity.
159:
35:/Identity Level, and delegation at
13:
27:Types of delegation in IT networks
14:
178:
144:
135:
126:
117:
108:
1:
101:
94:More details can be found at
7:
10:
183:
85:Role-based access control
167:Computer access control
174:
151:
148:
142:
139:
133:
130:
124:
121:
115:
112:
70:
66:
60:
182:
181:
177:
176:
175:
173:
172:
171:
157:
156:
155:
154:
149:
145:
140:
136:
131:
127:
122:
118:
113:
109:
104:
78:
68:
62:
56:
49:
29:
17:
12:
11:
5:
180:
170:
169:
153:
152:
143:
134:
125:
116:
106:
105:
103:
100:
77:
74:
48:
45:
41:Access Control
33:Authentication
28:
25:
15:
9:
6:
4:
3:
2:
179:
168:
165:
164:
162:
147:
138:
129:
120:
111:
107:
99:
97:
92:
88:
86:
81:
73:
65:
59:
53:
44:
42:
38:
37:Authorization
34:
24:
21:
146:
137:
128:
119:
110:
93:
89:
82:
79:
54:
50:
30:
19:
18:
102:References
20:Delegation
161:Category
43:Level.
96:RBAC
69:sudo
58:sudo
61:or
163::
98:.
64:su
39:/
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.