An Auto-revocation Supported Delegation Model

We have proposed an Attribute-Based Delegation Model (ABDM), in which delegatee must satisfy both delegation prerequisite condition (CR) and delegation attribute expression (DAE) when assigned to a delegation role. ABDM introduce some auto revocation mechanics to support two new types of auto revocation: revocation triggered by the change of user’s delegation attribute expression and revocation triggered by the change of delegated permission’s delegation attribute expression, which are different from existing revocations. ABDM supports auto revocation triggered by time. This paper also discusses system cost of auto revocation and security of multi-step delegation. An auto revocation algorithm and a system architecture are proposed in the end of this paper.