HOME

TheInfoList



Click Here for Items Related To - Delegation (computer Security)
OR:
Delegation (computer Security) on:   [Wikipedia]   [Google]   [Amazon]

Delegation is the process of a computer user handing over its authentication credentials to another user. In role-based access control models, delegation of authority involves delegating roles that a user can assume or the set of permissions that the user can acquire, to other users.


Types of delegation in IT networks

There are essentially two classes of delegation: delegation at
Authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicat ...
/Identity Level, and delegation at
Authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
/
Access Control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
Level.


Delegation at Authentication/Identity level

It is defined as follows: If an authentication mechanism provides an effective identity different from the validated identity of the user then it is called identity delegation at the authentication level, provided the owner of the effective identity has previously authorized the owner of the validated identity to use his identity. The existing techniques of identity delegation using
sudo sudo ( or ) is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it ...
 or su commands of UNIX are very popular. To use the sudo command, a person first has to start his session with his own original identity. It requires the delegated account password or explicit authorizations granted by the system administrator. The user login delegation described in the patent of Mercredi and Frey is also an identity delegation.


Delegation at Authorization/Access Control level

The most common way of ensuring computer security is access control mechanisms provided by operating systems such as UNIX, Linux, Windows, Mac OS, etc.Gollmann, D.: Computer Security 2e. John Wiley and Sons, Chichester (2005) If the delegation is for very specific rights, also known as fine-grained, such as with
Role-based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ...
(RBAC) delegation, then there is always a risk of under-delegation, i.e., the delegator does not delegate all the necessary permissions to perform a delegated job. This may cause the denial of service, which is very undesirable in some environments, such as in safety critical systems or in health care. In RBAC-based delegation, one option to achieve delegation is by reassigning a set of permissions to the role of a delegatee; however, finding the relevant permissions for a particular job is not an easy task for large and complex systems. Moreover, by assigning these permissions to a delegatee role, all other users who are associated with that particular role get the delegated rights. If the delegation is achieved by assigning the roles of a delegator to a delegatee then it would not only be a case of over-delegation but also the problem that the delegator has to figure out what roles, in the complex hierarchy of RBAC, are necessary to perform a particular job. These types of problems are not present in identity delegation mechanisms and normally the user interface is simpler. More details can be found at RBAC.


References

{{reflist Computer access control