Definition

Administrative & Delegation policies

Intuitively speaking, an administrative policy is a policy enabling a user to establish another policy. For instance, in the example in the previous section, an intern cannot access the printer. However, consider the case where Alice wants to delegate her privilege to access the printer to Bob while she's away. If she could add the rule Permit if AND(RESOURCE_printer,USER_Bob) and combine this rule with the previous policy, then Bob would be granted access (try to edit this policy, don't forget to add the attribute USER_Bob).

However, in practice, it might complicate for Alice to add this specific rule when she needs it. She should need to contact the administrator each time she's away, the administrator would need to check that it's indeed Alice asking to add this rule (and not Bob trying to gain access).

Instead, the administrator can define an administrative policy, enabling Alice to delegate access to the printer to Bob.

P2: Permit if AND(DELEGATE_Alice, DEL-RESOURCE_printer, DEL-USER_Bob)

It is worth noting here that the attribute are delegated, as indicated by the prefix DEL-. This policy does not enable Bob to access the printer, but can be used in the combination with the following policy, issued by Alice:

P3[Alice]: Permit if AND(RESOURCE_printer,USER_Bob)

Evaluation

In order to evaluate policies consisting of delegation policies (which are issued by a specific user) and administrative policies (which applies to delegated attributes), a request is permitted if and only if either:

  1. this request is permitted by a trusted policy (i.e., a policy with no issuer), or
  2. this request is permitted by a delegate policy, and the corresponding administrative request is permitted (following the same process recursively).

The administrative request consists of the same request where each attribute is prefixed by DEL- and where the attribute DELEGATE_X, where X is the issuer of the policy, is true.

Example

Let us consider the example below, where Bob tries to access the printer. We can see that initially, the request is permitted by P3[Alice], but not by any trusted policy. Therefore, we cannot used the case 1. and have to construct the corresponding administrative request. Change the attribute values to add DEL- in front of each of them, and add the attribute DELEGATE_Alice (make sure its value is set to True). We can see now that P2 permits this request, and since P2 is trusted, we can conclude that the initial request is permitted. The next page contains a more complex example.


Last modified December 6, 2019