Nasser B., Benzekri A., Laborde R., Grasset F., Barrère F.



The problems encountered in the scientific, industrial and engineering fields entail sophisticated processes across widely distributed communities. The Grid emerged as a platform that has a goal enabling coordinated resources sharing and problem resolving in dynamic multi-institutional Virtual Organizations (VO). Though the multi-institutional aspect is considered in the grid definition, there is no recipe that indicates how to fabricate a VO in such environment where mutual distrust is a constraint. Excluding a central management authority, the different partners should cooperate to put in place a multi-administrated environment. The role of each partner in the VO should be clear and unambiguous (permissions, interdictions, users and resources to manage…). Organizing a large scale environment is error prone where not well formalized models lead to unexpected security breaches. Within the access control models RBAC has proved to be flexible but is not adapted to model the multi-institutional aspect. In this context, we propose a formal access control model, OrBAC (Organization Based Access Control model), that encompass concepts required to express a security policy in complex distributed organizations. Its generality and formal foundation makes this model the best candidate to serve as a common framework for setting up Virtual Organizations.


  1. Alfieri R., Cecchini R., Ciaschini V., dell'Agnello L., Frohner A., Gianoli A., L?orentey K., and Spataro F. (2003). VOMS, an authorizatuin system for virtual organizations. Presented at 1st European Across Grids Conference, Santiago de Compostela, February 13-14, 2003.
  2. Abou El Kalam A., El Baida R., Balbiani P., Benferhat S., Cuppens F., Deswartes Y., Miege A., Saurel C., Trouessin G. (2003). “Organization Based Access Control”. In Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy'03), p.120-131, June 4- 6, 2003, Lake Como, Italy.
  3. Cannon S., Chan S., Olson D., Tull C., Welch V., Pearlman L. (2003). Using CAS to manage Role based VO sub-groups. In CHEP 2003. La Jolla, California.
  4. Baru C., Moore R., Rajasekar A., Wan M. (1998). The SDSC Storage Resource Broker. In Proc. CASCON'98 Conference, Nov.30-Dec.3, 1998, Toronto, Canada.
  5. Djordjevic I., Dimitrakos T., Phillips C. (2004). An Architecture for Dynamic Security Perimeters of Virtual Collaborative Networks. In Proceeding 9th IEEE/IFIP Network Operations and Management Symposium, (NOMS 2004), April 2004. IEEE-CS.
  6. Cuppens F., Miege A. (2003). Ad-OrBAC: An Administration Model for Or-BAC. Workshop on Metadata for Security, International Federated Conferences (OTM'03), Catania, Sicily, Italy, November 3-7, 2003.
  7. Foster I., Kesselman C., Tuecke S. (2001). The Anatomy of the Grid: Enabling Scalable Virtual Organizations. In, International J. Supercomputer Applications,15(3),2001.
  8. Foster I., Kesselman C., (1997). A Metacomputing Infrastructure Toolkit. Intl J. Supercomputer Applications, 11(2):115-128.
  9. Fedak G., Germain C., Neri V., and Cappello F. (2001). XtremWeb: A Generic Global Computing System. CCGRID2001, workshop on Global Computing on Personal Devices, May 2001, IEEE Press.
  10. Karl Czajkowski, Ian Foster, Carl Kesselman, Volker Sander, Steven Tuecke, (2002). SNAP: A Protocol for Negotiation of Service Level Agreements and Coordinated Resource Management in Distributed Systems. Draft submission to JSSPP'02 April 30, 2002. Retrieved January 26, 2005 from:
  12. Nitin Nayak, Tian Chao, Jenny Li, Joris Mihaeli, Raja Das, Annap Derebail, Jeff Soo Hoo, (2001). Role of Technology in Enabling Dynamic Virtual Enterprises. Retrieved January 26, 2005 from:
  14. Samarati P., De Capitani di Vimercati S.. Access Control: Policies, Models, and Mechanisms. Retrieved January 26, 2005 from: rial_didatico/docs/LNCS2171_Cap3.pdf
  15. Russell D., Dew P., Djemame K (2004). Access control for dynamic virtual organizations. In Proceedings of the UK e-Science All Hands Meeting 2004, © EPSRC Sept 2004. Retrieved January 26, 2005 from: ings/proceedings.pdf
  16. Sandhu R., Coyne E., Feinstein H., Youman C. (1996). Role-Based Access Control Models. IEEE Computer, vol. 29, n° 2, pp.38-47, février, 1996.
  17. Sandhu R., Munawer Q. (1999). The ARBAC99 Model for Administration of Roles. In Proceeding of the 15th Annual Computer Security Applications Conference (ACSAC'99), Phoenix, Arizona, 6-10 December 1999, IEEE Computer Society, pp. 229-241.
  18. Welch V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S. and Siebenlist, F. (2004). X.509 proxy certificate for dynamic delegation. Proceedings of the 3rd Annual PKI R&D Workshop.
  19. Wedde H.F., Lischka M., (2003).Cooperative Role-Based Administration. Proceedings of the eighth ACM symposium on Access control models and technologies Como, Italy 2003

Paper Citation

in Harvard Style

B. N., A. B., R. L., F. G. and F. B. (2005). ACCESS CONTROL MODEL FOR GRID VIRTUAL ORGANIZATIONS . In Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 972-8865-19-8, pages 152-158. DOI: 10.5220/0002535001520158

in Bibtex Style

author={Nasser B. and Benzekri A. and Laborde R. and Grasset F. and Barrère F.},
booktitle={Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 3: ICEIS,},

in EndNote Style

JO - Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 3: ICEIS,
SN - 972-8865-19-8
AU - B. N.
AU - A. B.
AU - R. L.
AU - F. G.
AU - F. B.
PY - 2005
SP - 152
EP - 158
DO - 10.5220/0002535001520158