|
One of the key components to our approach, as shown in Figures 2 and 3, is
the capability of the user to delegate access to attributes, enabling collaboration
with other users. We modify a traditional Access Control List (ACL) model,
by identifying the access control entry principal by password hash. If another
user is delegated permission to access a particular attribute, the corresponding
password hash, H{pwdc}, must exist (read and/or write) in the ACL computer nodes attached
to the attribute when stored in the destination directory. Alternatively, if the
attribute owner attempts to access the attribute, identified by H{pwdo}, full
access is granted. The ACL is managed by the virtual directory server, and
again would require additional interaction by the attribute owner to manage.
This is supported by the Delegation Manager in our system architecture.
|
