Privilege Management Infrastructure

Privilege Management Infrastructure

Privilege Management is the process of managing user authorisations based on the ITU-T Recommendation X.509. The 2001 edition of X.509 [1] specifies most (but not all) of the components of a "Privilege Management Infrastructure" (PMI), based on X.509 attribute certificates (ACs). Later editions of X.509 (2005 and 2009) have added further components to the PMI, including a delegation service (in 2005 [2] ) and interdomain authorisation (in the soon to be published 2009 edition [3] ).

Privilege Management Infrastructures (PMIs) are to authorisation what Public Key Infrastructures (PKIs) are to authentication. PMIs use attribute certificates (ACs) to hold user privileges, in the form of attributes, instead of public key certificates (PKCs) to hold public keys. PMIs have Sources of Authority (SoAs) and Attribute Authorities (AAs) that issue ACs to users, instead of Certification Authorities (CAs) that issue PKCs to users. Usually PMIs rely on an underlying PKI, since ACs have to be digitally signed by the issuing AA, and the PKI is used to validate the AA's signature.

An X.509 AC is a generalisation of the well known X.509 public key certificate (PKC), in which the public key of the PKC has been replaced by any set of attributes of the certificate holder (or subject). Therefore one could in theory use X.509 ACs to hold a user's public key as well as any other attribute of the user. (In a similar vein, X.509 PKCs can also be used to hold privilege attributes of the subject, by adding them to the subject directory attributes extension of an X.509 PKC). However, the life cycle of public keys and user privileges are usually very different, and therefore it isn't usually a good idea to combine both of them in the same certificate. Similarly, the authority that assigns a privilege to someone is usually different from the authority that certifies someone's public key. Therefore it isn't usually a good idea to combine the functions of the SoA/AA and the CA in the same trusted authority. PMIs allow privileges and authorisations to be managed separately from keys and authentication.

The first open source implementation of an X.509 was built with funding under the EC PERMIS project, and the software is available from [ here] . A description of the implementation can be found in [4] .

X.509 ACs and PMIs are used today in Grids (see Grid computing), to assign privileges to users, and to carry the privileges around the Grid. In the most popular Grid privilege management system today, called VOMS [5] , user privileges, in the shape of VO memberships and roles, are placed inside an X.509 AC by the VOMS server, signed by the VOMS server, and then embedded in the user's X.509 proxy certificate for carrying around the Grid.

Because of the rise in popularity of XML SOAP based services, SAML attribute assertions are now more popular than X.509 ACs for transporting user attributes. However, they both have similar functionality, which is to strongly bind a set of privilege attributes to a user.


[1] ISO 9594-8/ITU-T Rec. X.509 (2001) The Directory: Public-key and attribute certificate frameworks
[2] ISO 9594-8/ITU-T Rec. X.509 (2005) The Directory: Public-key and attribute certificate frameworks
[3] FPDAM 2 text of Enhancements to Support Recognition of Authority Between PMIs
[4] D.W.Chadwick, A. Otenko “The PERMIS X.509 Role Based Privilege Management Infrastructure”. Future Generation Computer Systems, 936 (2002) 1–13, December 2002. Elsevier Science BV.
[5] Alfieri, R., Cecchini, R., Ciaschini, V., Dell'Agnello, L., Frohner, A., Lorentey, K., Spataro, F., “From gridmap-file to VOMS: managing authorization in a Grid environment”. Future Generation Computer Systems. Vol. 21, no. 4, pp. 549-558. Apr. 2005

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Privilege Management Infrastructure — Eine Privilege Management Infrastructure (PMI) löst in Rechnernetzen das Problem der Autorisierung zum Zugriff auf Ressourcen. Eine PMI besteht aus folgenden Elementen: Privileg Prüfer: Der Privileg Prüfer prüft Nutzungsansprüche von Privilegien… …   Deutsch Wikipedia

  • Operating room management — An operating theatre (gynecological hospital of Medical University of Silesia in Bytom) Operating room management is the science of how to run an Operating Room Suite. Operational operating room management focuses on maximizing operational… …   Wikipedia

  • Инфраструктура — (Infrastructure) Инфраструктура это комплекс взаимосвязанных обслуживающих структур или объектов Транспортная, социальная, дорожная, рыночная, инновационная инфраструктуры, их развитие и элементы Содержание >>>>>>>> …   Энциклопедия инвестора

  • PERMIS — (PrivilEge and Role Management Infrastructure Standards) is a sophisticated policy based authorisation system that implements an enhanced version of the U.S. National Institute of Standards and Technology (NIST) standard Role Based Access Control …   Wikipedia

  • X.509 — In cryptography, X.509 is an ITU T standard for a public key infrastructure (PKI) for single sign on and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate… …   Wikipedia

  • инфраструктура — 3.3.3 инфраструктура (infrastructure): «Организация» Совокупность зданий, оборудования и служб обеспечения, необходимых для функционирования организации (3.3.1). Источник: ГОСТ Р ИСО 9000 2008: Системы менеджмента качества. Основные положения и… …   Словарь-справочник терминов нормативно-технической документации

  • PMI — may stand for:* Mathematical induction, a principle of mathematics * Private Medical Insurance, a type of insurance * Peoples Ministry Inc., A Christian ministry in Toronto, Ontario, Canada, that operates Peoples Christian Academy * People s… …   Wikipedia

  • ГОСТ Р ИСО/ТС 22600-2-2009: Информатизация здоровья. Управление полномочиями и контроль доступа. Часть 2. Формальные модели — Терминология ГОСТ Р ИСО/ТС 22600 2 2009: Информатизация здоровья. Управление полномочиями и контроль доступа. Часть 2. Формальные модели: 2.7 авторизация (authorization): Процесс предоставления прав, включая предоставление прав на доступ.… …   Словарь-справочник терминов нормативно-технической документации

  • PMI — ist eine Abkürzung für: Polymethacrylimid, ein Hartschaumstoff Post Merger Integration im Rahmen einer Fusion von Unternehmen Postmortales Intervall – in der Forensik der Zeitraum vom Eintritt des Todes bis zur Untersuchung der Leiche durch den… …   Deutsch Wikipedia

  • PMI — PMI: Институт по Управлению Проектами  англ. Project Management Institute, PMI Инфраструктура управления привилегиями (подтип PKI)  англ. Privilege Management Infrastructure, PMI Петербургская Музыкальная Индустрия… …   Википедия