Delegating Privileges over Finite Resources: A Quota Based Delegation Approach

TitleDelegating Privileges over Finite Resources: A Quota Based Delegation Approach
Publication TypeConference Paper
Year of Publication2008
AuthorsI. Agudo, C. Fernandez-Gago, and J. Lopez
Conference Name5th International Workshop on Formal Aspects in Security and Trust (FAST’08)
Series TitleLNCS
Conference LocationMalaga (Spain)
ISBN Number978-3-642-01464-2
ISSN Number0302-9743 (Print) 1611-3349 (Online)

When delegation in real world scenarios is considered, the delegator (the entity that posses the privileges) usually passes the privileges on to the delegatee (the entity that receives the privileges) in such a way that the former looses these privileges while the delegation is effective. If we think of a physical key that opens a door, the privilege being delegated by the owner of the key is opening the door. Once the owner of the key delegates this privilege to another entity, by handing over the key, he is not able to open the door any longer. This is due to the fact that the key is not copied and handed over but handed over to the delegatee. When delegation takes place in the electronic world, the delegator usually retains also the privileges. Thus, both users have them simultaneously. This situation, which in most cases is not a problem, may be undesirable when dealing with certain kind of resources. In particular, if we think of finite resources, those in which the number of users accessing simultaneously is finite, we can not allow that a user delegating his access privilege is also granted access when the delegation if effective. In this paper we propose an approach where each user is delegated an access quota for a resource. If further delegating of the delegated quota occurs, this is subtracted from his quota. That is, when delegating, part of the quota remains with the delegator and another part goes to the delegatee. This allows a more fairly access to the resource. Moreover, we show that this approach can also be applied to any kind of resources by defining appropriate authorization policies.

Citation KeyAgudo2008
Paper File:

Supported by SPIKE ARES