There are three major drawbacks of a centralized security administration in distributed systems: It creates a bottleneck for request handling, it tends to enforce homogeneous security structures in heterogeneous user groups and organizations, and it is a weak point in terms of security attacks, reliability, and fault tolerance. In this paper we introduce a distributed authorization concept which is based on a modular authorization language for supporting cooperatingdistributed authorization teams. These teams are partially ordered into a hierarchy in that they inherit authorization rules from higher order teams but still exercise their autonomy by (dynamically) setting local rules that serve the special local needs in distributed organizations.Conflictsbetween between rules inherited from different higher ranking sources, orviolationsof higher order rules through local rules would be detected, on the logical level or through request evaluation, as contradictions or contradicting results, respectively. Conflict resolution mechanisms are presented, and examples are discussed extensively.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Elisa Bertino , Francesco Buccafurri , Elena Ferrari , Pasquale Rullo, An Authorization Model and Its Formal Semantics, Proceedings of the 5th European Symposium on Research in Computer Security, p.127-142, September 16-18, 1998
	2	Elisa Bertino , Sushil Jajodia , Pierangela Samarati, A flexible authorization mechanism for relational data management systems, ACM Transactions on Information Systems (TOIS), v.17 n.2, p.101-140, April 1999  [doi>10.1145/306686.306687]
	3	Piero Bonatti , Sabrina de Capitani di Vimercati , Pierangela Samarati, A modular approach to composing access control policies, Proceedings of the 7th ACM conference on Computer and communications security, p.164-173, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.352623]
	4	Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian, A Logical Language for Expressing Authorizations, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.31, May 04-07, 1997
	5	Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian , Eliza Bertino, A unified framework for enforcing multiple access control policies, Proceedings of the 1997 ACM SIGMOD international conference on Management of data, p.474-485, May 11-15, 1997, Tucson, Arizona, United States
	6	D. Jonscher , K. R. Dittrich, Argos—a configurable access control system for interoperable environments, Proceedings of the ninth annual IFIP TC11 WG11.3 working conference on Database security IX : status and prospects: status and prospects, p.43-60, January 1996, Rennselaerville, New York, United States
	7	Sylvia Osborn , Yuxia Guo, Modeling users in role-based access control, Proceedings of the fifth ACM workshop on Role-based access control, p.31-37, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344299]
	8	Ravi Sandhu , David Ferraiolo , Richard Kuhn, The NIST model for role-based access control: towards a unified standard, Proceedings of the fifth ACM workshop on Role-based access control, p.47-63, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344301]
	9	H. F. Wedde, B. Korel, S. Chen, D. C. Daniels, S. Nagaraj, and B. Santhanam. Transparent Access to Large Files That Are Stored across Sites. In Readings in Distributed Computing Systems Theory. IEEE Computer Society Press, 1994.
	10	H. F. Wedde and M. Lischka. New Dimensions in Distributed Journalism Through Dragon Slayer III. In Proc. of the 7th Euromicro Workshop on Parallel and Distributed Processing, Madeira, Portugal, Feb 1999. Euromicro, IEEE Computer Society Press.
	11	H. F. Wedde and J.-O. Siepmann. A Universal Framework for Managing Metadata in the Distributed Dragon Slayer System. In Euromicro Workshop on Multimedia and Telecommunications. Euromicro, IEEE Computer Society Press, Sept. 2000.