请输入您要查询的百科知识:

 

词条 Delegation (computer security)
释义

  1. Types of Delegation in IT network

     Delegation at Authentication/Identity Level  Delegation at Authorization/Access Control Level 

  2. References

{{Short description|Authorization mechanism in computer security}}{{Use mdy dates|date=January 2019}}{{Use American English|date=January 2019}}Delegation is the process of a computer user handing over their authentication credentials to another user.[1][2] In role-based access control models, delegation of authority involves delegating roles that a user can assume or the set of permissions that he can acquire, to other users.[3]

Types of Delegation in IT network

There are essentially two classes of delegation.

  1. Delegation at Authentication/Identity Level
  2. Delegation at Authorization/Access Control Level

Delegation at Authentication/Identity Level

It is defined as follows: If an authentication mechanism provides an effective identity different from the validated identity of the user then it is called identity delegation at

the authentication level, provided the owner of the effective identity has previously

authorized the owner of the validated identity to use his identity.[4]

The existing techniques of identity delegation using sudo or su commands of UNIX are very popular.{{citation needed|date=March 2014}} To use the sudo command, a person first has to start his session with his own original identity. It requires the delegated account password or explicit authorizations granted by the system administrator. The user login delegation described in the patent of Mercredi and Frey is also an identity delegation.[5]

Delegation at Authorization/Access Control Level

The most common way of ensuring computer security is access control mechanisms provided by operating systems such as UNIX, Linux, Windows, Mac OS, etc.[6]

If the delegation is for very specific rights, also known as fine-grained, such as with Role-based access control (RBAC) delegation, then there is always a risk of under-delegation, i.e., the delegator does not delegate all the necessary permissions to perform a delegated job. This may cause the denial of service, which is very undesirable in some environments, such as in safety critical systems or in health care. In RBAC-based delegation, one option to achieve delegation is by reassigning a set of permissions to the role of a delegatee; however, finding the relevant permissions for a particular job is not an easy task for large and complex systems. Moreover, by assigning these permissions to a delegatee role, all other users who are associated with that particular role get the delegated rights.

If the delegation is achieved by assigning the roles of a delegator to a delegatee then it would not only be a case of over-delegation but also the problem that the delegator has to figure out what roles, in the complex hierarchy of RBAC, are necessary to perform a particular job. These types of problems are not present in identity delegation mechanisms and normally the user interface is simpler.

More details can be found at RBAC.

References

1. ^Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of 16th Annual Computer Security Application Conference, New Orleans, U.S.A. (December 2000)
2. ^A mechanism for identity delegation at authentication level, N Ahmed, CD Jensen - Proceedings of the 14th Nordic Conference …, 2009 - portal.acm.org, 2009
3. ^{{cite web|url=https://docs.lib.purdue.edu/ccpubs/333/|title=Fine-grained role-based delegation in presence of the hybrid role hierarchy |publisher=Purdue University |date=2006|accessdate=2014-03-29}}
4. ^A mechanism for identity delegation at authentication level, N Ahmed, CD Jensen - Proceedings of the 14th Nordic Conference …, 2009 - portal.acm.org, 2009
5. ^Mercredi, Frey: User login delegation. United States Patent Application Publication, US 2004/0015702 A1 2004
6. ^Gollmann, D.: Computer Security 2e. John Wiley and Sons, Chichester (2005)

1 : Computer access control

随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/10 10:49:52