An Auto-Delegation Mechanism For Access Control Systems

Delegation is a widely used and widely studied mechanism in access control systems. Delegation enables an authorized entity to nominate another entity as its authorized proxy for the purposes of access control. Existing delegation mechanisms tend to rely on manual processes initiated by end-users. We believe that systems in which the set of available, authorized entities fluctuates considerably and unpredictably over time require delegation mechanisms that can respond automatically to the absence of appropriately authorized users. To address this, we propose an auto-delegation mechanism and explore the way in which such a mechanism can be used to provide (i) controlled overriding of policy-based authorization decisions (ii) a novel type of access control mechanism based on subject-object relationships.