Department of Computer Science and Technology

Technical reports

Active privilege management for distributed access control systems

David M. Eyers

June 2006, 222 pages

This technical report is based on a dissertation submitted June 2005 by the author for the degree of Doctor of Philosophy to the University of Cambridge, King’s College.


The last decade has seen the explosive uptake of technologies to support true Internet-scale distributed systems, many of which will require security.

The policy dictating authorisation and privilege restriction should be decoupled from the services being protected: (1) policy can be given its own independent language syntax and semantics, hopefully in an application independent way; (2) policy becomes portable – it can be stored away from the services it protects; and (3) the evolution of policy can be effected dynamically.

Management of dynamic privileges in wide-area distributed systems is a challenging problem. Supporting fast credential revocation is a simple example of dynamic privilege management. More complex examples include policies that are sensitive to the current state of a principal, such as dynamic separation of duties.

The Open Architecture for Secure Interworking Services (OASIS), an expressive distributed role-based access control system, is traced to the development of the Clinical and Biomedical Computing Limited (CBCL) OASIS implementation. Two OASIS deployments are discussed – an Electronic Health Record framework, and an inter-organisational distributed courseware system.

The Event-based Distributed Scalable Authorisation Control architecture for the 21st century (EDSAC21, or just EDSAC) is then presented along with its four design layers. It builds on OASIS, adding support for the collaborative enforcement of distributed dynamic constraints, and incorporating publish/subscribe messaging to allow scalable and flexible deployment. The OASIS policy language is extended to support delegation, dynamic separation of duties, and obligation policies.

An EDSAC prototype is examined. We show that our architecture is ideal for experiments performed into location-aware access control. We then demonstrate how event-based features specific to EDSAC facilitate integration of an ad hoc workflow monitor into an access control system.

The EDSAC architecture is powerful, flexible and extensible. It is intended to have widespread applicability as the basis for designing next-generation security middleware and implementing distributed, dynamic privilege management.

Full text

PDF (1.9 MB)

BibTeX record

  author =	 {Eyers, David M.},
  title = 	 {{Active privilege management for distributed access control
  year = 	 2006,
  month = 	 jun,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-669}