An authorization framework based on constrained delegation

In this paper, we distinguish between authorization problems at management level and request level in open decentralized systems, using delegation for flexible and scalable authorization management. The delegation models in existing approaches are limited within one level or only provide basic delegation schemes, and have no effective control over the propagation scope of delegated privileges. We propose REAL, a Role-based Extensible Authorization Language framework for open decentralized systems. REAL covers delegation models at both two levels and provides more flexible and scalable authorization and delegation policies while capable of restricting the propagation scope of delegations. We formally define the semantics of credentials in REAL by presenting a translation algorithm from credentials to Datalog rules (with negation-as-failure). This translation also shows that the semantics can be computed in polynomial time.