As the number of members of an institution increases, new institutions join the same federation, or the policies de ned in a federation change due to the highly dynamic nature of this sort of systems, the management of their policies becomes more and more complex. This is mainly due to the great amount of policies that should be managed, such as access control policies, privacy policies, or validation policies based on LoA (Level of Assurance), among others.

In order to reduce this complexity, the system administrator of an institution can delegate to third parties, called delegates, the management of a subset of the system policies. Thus, we are not only distributing the management of those policies to other people, but also they are being delegated to those who have more knowledge in the application area where they will be used. This process, where the administrator transfers the management of a subset of policies to a delegated person, is commonly known as administrative delegation [ 1, 2 ].

The introduction of this new sort of policies supposes a new value-added service for the current identity systems, but also presents some drawbacks that have to be treated suitably: { The number of policies to manage increases, so that the system administrator will have to manage both the policies that already existed previously (access control policies to services and resources, privacy policies, etc.) and this new sort of policies. { The delegates are usually users with no knowledge in the policy management, access control languages such as XACML, etc. Therefore, we will have to make easier to these people the generation and management of this new sort of policies, and make it as easy and intuitive as possible.

As we can see, even though the workload of the administrator is reduced, and considerably distributed among several delegates, the policy management (including the administrative ones) will also be more complex. Therefore, it is not enough to de ne policies for the administrative delegation, but also it will be necessary to de ne an infrastructure that can manage these policies, thereby helping, mainly to the delegates, to carry out these tasks. 2

As application example of the administrative delegation in real environments, let us suppose a scenario where the administrator of an institution delegates to all heads of department the policies about granting access to those people under their supervision. These heads of department will have more knowledge about their own employees than the system administrator. In this scenario, the system administrator will be able to delegate in each head of department the de nition of which employees will have access to the network, as well as the connection schedule according to their workday; that information is perfectly known by each head of department.

In this example scenario we can see the use of the administrative delegation, where we are avoiding that the system administrator has to create access control policies on a set of people that he (probably) does not know. In this case, each head of department, once the system administrator authorizes him as a delegate, will be the person in charge of controlling the access to the network of his employees by creating the needed access policies with the adequate information. 3

As a solution to the problems previously commented, we have included in this work a set of new components to the Segur@-DAMe identity federation [ 3 ] for managing the complete life cycle of these new policies. We have also de ned a mechanism by which we allow generating a set of templates (Web forms) to help delegates to perform these administrative tasks in a simple and intuitive way. These templates are automatically generated by the infrastructure from the administrative delegation policies created by the system administrator.

To this end, our infrastructure makes use of XACML 3.0 (eXtensible Access Control Markup Language) [ 4 ], which includes in its speci cation new advanced features for the de nition of delegation policies. These changes have been made to allow any person of an institution, who owns a certain privilege, to delegate it to another person.

In this sense, XACML 3.0 de nes a new element, called PolicyIssuer, to indicate who has issued a given policy. With this element, the system can identify and verify whether the corresponding issuer is valid to delegate the enclosed privilege just before the policy is used. A policy with no issuer element is considered as trusted and, therefore, will be managed by the PDP (Policy Decision Point ) as a traditional policy. <Policy> <Target> ... <AttributeDesignator AttributeId="resource-id"

Category="...:delegated:...:resource"/> <AttributeValue>Network</AttributeValue> ... <AttributeDesignator AttributeId="action-id"

Category="...:delegated:...:action"/> <AttributeValue>Access</AttributeValue> ... <AttributeDesignator Category="...:delegate"

AttributeId="schacPersonalPosition"/> <AttributeValue>Head Department</AttributeValue> ... </Target> <Rule Effect="Permit"/> ... </Policy>

Administrative Policy (generated by the administrator)

Access Control Policy (generated by the system from the information

typed by the delegate in the Web form) As we have commented before, the main goal of our infrastructure is to provide delegates with an easy and intuitive way for creating the access control policies for which they are responsible. For this purpose, we make use of a PMT (Policy Management Tool ) which is capable of parsing administrative policies and extracting the information necessary to generate the corresponding templates in an automatic fashion. The PMT will then make use of XSL transformations [ 5 ] to carry out this task, taking as input the administrative policy generated by the administrator. The rest of information that cannot be directly found in that policy is requested to the delegate as input elds in the template.

Fig. 1 depicts this process, in a schematic way, for: 1) generating the templates (Web forms) from the administrative policy created by the system administrator (top of the image); and 2) generating the nal access control policies from some pieces of the administrative policy and the information provided by the delegate in the Web form (right-hand size of the image). Both processes are automatically carried out by making use of the XSL transformations mentioned above. 4

As we have seen throughout this paper, we have presented a new way for managing the administrative delegation in which system administrators or any institution, belong to the same identity federation, can delegate part of their work to third parties. With the help of this system, the policy management is being distributed to those people who have more knowledge than the system administrator on the scope where those policies will be applied later.

To this end, our infrastructure is capable of automatically generating a set of templates (or Web forms) from the administrative policies created by the administrators. These delegates, who have (probably) no idea about how to create policies, will be able to ll in these templates in an easy and intuitive way.

This work has been funded by the CENIT Segur@ (Seguridad y Con anza en la Sociedad de la Informacion) project. Authors would also like to thank the Funding Program for Research Groups of Excellence with code 04552/GERM/06 granted by the Fundacion Seneca.