Easy Expression of Authorisation Policies
Lead Research Organisation:
University of Kent
Department Name: Sch of Computing
Abstract
The primary purpose of this 20 month long project is to allow Grid managers to be able to specify the authorisation policy for access to their Grid computing resources through the use of controlled natural language. The policy tool will parse the policy, interpret it, and store it in its own internal representation, using a model and ontology developed at the start of the research. The policy tool will prompt the manager to clarify any unclear terms (e.g. what is Fred? Is it a filename or a username?), resolve any ambiguities, and once this has been done will print the policy out in similar natural language, using wording as near to the original input language as possible. This will allow the manager to see if the computer has fully understood his policy, but if not, the manager will need to edit his policy and resubmit it, until the computer's version is identical in meaning to his own. Finally, the tool will compile the policy into two existing XML authorization policy languages (XACML and PERMIS) so that the policy can be automatically fed into existing Grid authorization engines (policy decision points). In this way, we can be assured that the policy that is implemented is the one that the manager intended it to be.
Organisations
Publications
David Chadwick (Author)
(2006)
The Virtuous Circle of Expressing Authorisation Policies
David Chadwick (Author)
(2008)
Interface Intelligence
Inglesant P
(2008)
Expressions of expertness
| Description | The project achieved its original objective of building a natural language policy creating interface, but only for very basic authorisation policies. This is because it is a much greater and more complex task than originally envisaged to build generic authorisation policies with complex clauses such as conditions, separation of duties, delegation of authority etc. This was a relatively small project over a short duration (20 months). Consequently the original objectives are still valid and achievable, but only in a project that is an order of magnitude greater than this one. |
| Exploitation Route | The software is application and sector independent so can be used by any sector of the economy. Any organisation that wishes to create a natural language interface for creating basic authorisation policies, can use this software The researchers at the University of Kent made the sofware and documentation publicly available as part of the PERMIS open source software suite. It gets hundreds of downloads per year. The researchers at Kent were able to continue this research under a follow on EC FP7 integrated project called TAS3. Kent and Sheffield put in another research bid to EPSRC to continue the current research, but this was not funded. |
| Sectors | Digital/Communication/Information Technologies (including Software) |
| URL | http://sec.cs.kent.ac.uk/permis/ |
| Description | EC FP7 - Trusted Architecture for Securely Shared Services |
| Amount | € 1,051,904 (EUR) |
| Funding ID | 216287 |
| Organisation | European Commission |
| Department | Seventh Framework Programme (FP7) |
| Sector | Public |
| Country | European Union (EU) |
| Start | 01/2008 |
| End | 12/2011 |
| Title | PERMIS |
| Description | PERMIS is an application independent policy based authorisation infrastructure. PERMIS is actually a suite of authorisation tools that have been developed over a 12 year period from many research grants. The first release was in 2002 and since then, many new novel features and capabilities have been added to it such as: an easy to use GUI for constructing policies, a natural language interface for creating policies, a standalone authorisation service, a Java based policy decision point, a credential validation service, an obligation service and a sticky policy handling authorisation service. |
| Type Of Technology | Software |
| Year Produced | 2011 |
| Open Source License? | Yes |
| Impact | The SWISS Ministry of Defense took a version of the toolkit and hardened it for an air force application. They then re-released their version back to the public as open source Hardened PERMIS. |
| URL | http://www.openpermis.info |