A Critical Review of the Resource Access Decision Specification in CORBA Michael Schneider, Markus Aleksy, Axel Korthaus, Martin Schader University of Mannheim, Germany {schneider|aleksy|korthaus|schader}@wifo3.uni-mannheim.de Abstract This article critically analyzes access control in CORBA applications that is based on the OMG’s Resource Access Decision Facility specification. After a short presentation of the RAD Facility, we discuss its strengths and weaknesses and describe shortcom- ings of the current version of the specification. Fi- nally, possible reasons for the industry’s reluctance to accept this approach are presented. 1. Introduction Presently, several techniques for developing dis- tributed applications are available. The Common Object Request Broker Architecture (CORBA) stan- dard [9] is widely spread in the field of object- oriented, distributed systems. Not only does it offer independence of computer architecture, operating system and programming language but also vendor independence of a particular Object Request Broker (ORB) product. The latter was rendered possible in CORBA 2.0 by introducing a unique object reference, the so-called Interoperable Object Reference (IOR), and a standardized transmission protocol, so-called Internet-Inter-ORB-Protocol (IIOP). The ORB forms the basic component for commu- nication in distributed applications. In order to sup- port developers with their work, the OMG has stan- dardized several low-level services—CORBAservices. They add frequently used functions like event hand- ling, trading or security to the base functionality of the ORB. Apart from that, the OMG puts a lot of effort into establishing standards for vertical markets—e.g. healthcare, telecommunication, and manufacturing. These so called Domain CORBAfacilities also include the Resource Access Decision (RAD) Facility [7]. 1.1. CORBA Security and Access Control The CORBA Security Service specification [8] de- fines the CORBA interfaces provided for the purposes of access control, authentication, non-repudiation and auditing. Access control is of special interest in con- nection with OMG’s RAD Facility. This paragraph introduces the concepts of access control using the terminology established for CORBA Security. This helps to understand the RAD Facility as the same terms are used in its specification. Access control denotes a mechanism to decide if a principal is allowed access to a secured resource de- pending on its security attributes and the access con- trol policies associated with the secured resource. A principal is a human user or system entity that is reg- istered and authenticated in the system. Its security attributes determine which actions the principal is allowed to perform. Resources secured by access rules are called secured resources. They range from coarse-grained resources such as an entire system or database to fine-grained resources like individual data elements. Access control policies determine which principal is allowed access to which resource. Access control also comprises the way in which security administrators can specify access control policies. 1.2. Motivation One reason for application-level access control is the necessity of fine-grained access control. Access control mechanisms provided by the CORBA Secu- rity Service merely allow access control on operation level. This is not enough if the sensitivities of infor- mation accessed by the same operation differ (cp. [1], pg. 4). For example, employee data in a company is likely to have different sensitivities such as phone numbers and salaries. Another reason to realize ac- cess control inside the application is the fact that access decisions may be dependent of application- specific factors. By embedding access control logic into application logic, developers are given the possibility to control access on an arbitrary level of granularity and to use highly complex access control policies. This proceed- ing, however, causes the following problems: • Security administrators in companies have to configure access control logic on an applica- tion-by-application basis. This is prone to