Departmental Papers (CIS)

Date of this Version

May 2007

Document Type

Journal Article


Postprint version. Published in ACM Transactions on Internet Technology, Volume 7, Issue 2, May 2007, pages 1-22.
Publisher URL:


Maximizing local autonomy by delegating functionality to end nodes when possible (the "end to end" design principle) has led to a scalable Internet. Scalability and the capacity for distributed control have unfortunately not extended well to resource access-control policies and mechanisms. Yet management of security is becoming an increasingly challenging problem, in no small part due to scaling up of measures such as number of users, protocols, applications, network elements, topological constraints, and functionality expectations.

In this paper we discuss scalability challenges for traditional access control mechanisms at the architectural level, and present a set of fundamental requirements for authorization services in large-scale networks. We show why existing mechanisms fail to meet these requirements, and investigate the current design options for a scalable access control architecture.

We argue that the key design options to achieve scalability are the choice of the representation of access control policy, the distribution mechanism for policy and the choice of access-rights revocation scheme. Although these ideas have been considered in the past, current access-control systems in use continue to use simpler but restrictive architectural models. With this paper, we hope to influence the design of future access-control systems towards more decentralized and scalable mechanisms.


large-scale systems, access control, authorization, credentials, delegation, distributed systems, security policy, trust management



Date Posted: 06 June 2008

This document has been peer reviewed.