Delegation in IT
Encyclopedia
If a computer
user
temporarily hand over his authorizations to another user then this process is called delegation.
from the validated identity of the user then it is called identity delegation at
the authentication level provided the owner of the effective identity has previously
authorized the owner of the validated identity to use his identity.
The existing techniques of identity delegation using sudo or su commands
of UNIX are very popular. To use sudo
command, a person first has to start his session with his own original identity.
It requires the delegated account password or explicit authorizations
granted by the system administrator. The user login delegation described in the
patent of Mercredi and Frey is also an identity delegation.
provided by operating systems such as UNIX, Linux, Windows, Mac
OS, etc.
If the delegation is fine grained, like Role-based access control
(RBAC) delegation, then there is
always a risk of under-delegation, i.e., the delegator does not delegate all the
necessary permissions to perform a delegated job. This may cause the denial
of service, which is very undesirable in some environments, such as in safety
critical systems or in health care. In RBAC based delegation, one option to
achieve delegation is by reassigning a set of permissions to the role of a delegatee,
however, finding the relevant permissions for a particular job is not an easy task
for large and complex systems. Moreover, by assigning these permissions to a
delegatee role, all other users who are associated with that particular role get
the delegated rights.
If the delegation is achieved by assigning the roles
of a delegator to a delegatee then it would not only be a case of over-delegation
but also the problem that the delegator has to figure out what roles, in the complex
hierarchy of RBAC, are necessary to perform a particular job. These types of
problems are not present in identity delegation mechanism and normally the user
interface is simpler.
More details can be found in the literature of RBAC.
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
temporarily hand over his authorizations to another user then this process is called delegation.
Types of Delegation in IT network
There are essentially two classes of delegation.- Delegation at AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
/Identity Level - Delegation at AuthorizationAuthorizationAuthorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
/Access ControlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
Level
Delegation at Authentication Level
It is defined as follows: If an authentication mechanism provides an effective identity differentfrom the validated identity of the user then it is called identity delegation at
the authentication level provided the owner of the effective identity has previously
authorized the owner of the validated identity to use his identity.
The existing techniques of identity delegation using sudo or su commands
of UNIX are very popular. To use sudo
command, a person first has to start his session with his own original identity.
It requires the delegated account password or explicit authorizations
granted by the system administrator. The user login delegation described in the
patent of Mercredi and Frey is also an identity delegation.
Delegation at Access Control Level
The most common way of ensuring computer security is access control mechanismsprovided by operating systems such as UNIX, Linux, Windows, Mac
OS, etc.
If the delegation is fine grained, like Role-based access control
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
(RBAC) delegation, then there is
always a risk of under-delegation, i.e., the delegator does not delegate all the
necessary permissions to perform a delegated job. This may cause the denial
of service, which is very undesirable in some environments, such as in safety
critical systems or in health care. In RBAC based delegation, one option to
achieve delegation is by reassigning a set of permissions to the role of a delegatee,
however, finding the relevant permissions for a particular job is not an easy task
for large and complex systems. Moreover, by assigning these permissions to a
delegatee role, all other users who are associated with that particular role get
the delegated rights.
If the delegation is achieved by assigning the roles
of a delegator to a delegatee then it would not only be a case of over-delegation
but also the problem that the delegator has to figure out what roles, in the complex
hierarchy of RBAC, are necessary to perform a particular job. These types of
problems are not present in identity delegation mechanism and normally the user
interface is simpler.
More details can be found in the literature of RBAC.