Ontology-Based Delegation of Access Control: An Enhancement to the XACML Delegation Profile

Delegation of access control (i.e. transferring access rights on a resource to another tenant) is crucial to efficiently decentralize the access control management in large and dynamic scenarios. Most of the delegation methods available in the literature are based on the RBAC or ABAC models. However, their applicability can be hampered by: (i) the effort required to manage and enforce multiple roles for each delegatee (i.e. access roles and delegated roles) and (ii) the efforts required to specify constraints for the enforcement of the delegated roles or policies. Moreover, the performance of these methods decreases proportionally as the number of users increase. To tackle these issues, we propose an ontology-based delegation framework that enhances the standard XACML delegation profile by modeling the delegation logics in an ontological way. By means of the ontology, the operations of delegation, verification and revocation of access rights can be performed on the workflow generated by instantiating the ontology classes and their interrelations according to the entities involved in the delegation. By exploiting these workflows, we propose a cost-effective algorithm that performs delegation operations without involving any human intervention.