There are three major drawbacks of a centralized security administration in distributed systems: It creates a bottleneck for request handling, it tends to enforce homogeneous security structures in heterogeneous user groups and organizations, and it is a weak point in terms of security attacks, reliability, and fault tolerance. In this paper we introduce a distributed authorization concept which is based on a modular authorization language for supporting cooperating distributed authorization teams. These teams are partially ordered into a hierarchy in that they inherit authorization rules from higher order teams but still exercise their autonomy by (dynamically) setting local rules that serve the special local needs in distributed organizations. Conflicts between between rules inherited from different higher ranking sources, or violations of higher order rules through local rules would be detected, on the logical level or through request evaluation, as contradictions or contradicting results, respectively. Conflict resolution mechanisms are presented, and examples are discussed extensively.
F. Wedde is a full professor of Computer Science at the
University of Dortmund, Germany, since 1994. Prior to this
appointment he was on faculty at Wayne State University, Detroit
(1984-1993), and serving as a senior staff researcher and
project leader at the GMD (German National Research Institute
for Computer Science) (1969-1983). He also held visiting
positions at the Universities of Pisa, Turin, Naples (Italy),