Multi-domain authorization for e-Infrastructures

The overall objective of this thesis is to study what is needed to create a multi-domain authorization system, allowing applications to access e-Infrastructure resources. A multi-domain authorization system allows different autonomous providers to chain their services automatically to create an end-to-end service, whilst retaining the ability to define their own access policies. The research was performed in the context of e-Science communities that use infrastructures at global scale, which capture, process, transport, store, visualise, etc. large amounts of scientific data. Such infrastructures became known as e-Infrastructures.
The study contributes to the understanding of what is needed by defining two frameworks and an authorization architecture. The first framework provides a way to articulate authorization scenarios; the second framework helps to understand the role of trust within authorization systems. A generic authorization architecture was defined as a way to help guide the solution design of an authorization system. The generic architecture was validated in collaboration with pioneering Internet research organisations to show its applicability.
To allow authorization transaction to happen, involved parties must trust each other. To be trusted in a chain, each service provider must know that any policy rule it executes is correct. Such trust emerges from a common set of rules that may need to be enforced depending on the risk involved.
The research on the second framework indicates that the complexity of an authorization system can decrease if organisational trust and power is considered along with its design, allowing the use of simple tokens.