Publications Home » A Policy Framework for Management...
Policy-based management is one of the latest developments in network and distributed systems management. Academic and commercial settings, as well as standardisation bodies are concentrating on policy-based management as a very promising solution for managing large-scale distributed systems. The use of policy-based management in areas such as security is particularly attractive. The introduction of new technologies (e.g. active networks, mobile agents) and the use of the Internet for providing services to customers, increase the security concerns associated with today's networked environments. Security management involves specification and deployment of access control policies as well as activities such as registration of users or logging and auditing events for dealing with access to critical resources or security violations. The management actions to be performed when an event occurs depend on the enterprise policy.
The need is evident for a policy language to support the specification of access control and other management policies. In this thesis we propose a policy framework to support security and management of distributed systems. The framework consists of a policy specification language, an architecture for deploying policies based on the language and a set of tools for specifying and managing policies. In conjunction with the language, the toolkit permits integrated administration of resources, people and policy information with automated policy deployment. The toolkit comprises an Integrated Development Environment (IDE) with a policy compiler, as well as tools for managing policies and roles at runtime.
The policy language is a declarative, object-oriented language for specifying security and management policies for distributed object systems. The language is flexible, expressive and extensible to cover the wide range of requirements implied by the current distributed systems paradigms. It includes support for access control policies, and delegation to cater for temporary transfer of access rights to agents acting on behalf of a client. The language also supports policies to express management activity, which take the form of event-triggered rules called obligation policies. Domains are used to facilitate the specification of policies relating to large systems with millions of objects; policies are specified for collections of objects stored in domains instead of individual objects, thus allowing for scalability and flexibility. Composite policies are included to allow the basic security and management policies relating to roles, organisational units and specific applications to be grouped together. Composite policies are essential to cater for the complexity of policy administration in large enterprise information systems. Application specific constraints on groups of policies can be specified using meta-policies. The language is easy to use by policy users, and we use a structural operational semantics approach to specify its formal semantics.
pubs.doc.ic.ac.uk: built & maintained by Ashok Argent-Katwala.