Morris Sloman

Selected Publications

Last Updated 31 Dec. 2006

More detailed publication list 

Management General

Strowes S, Badr N, Dulay N, Heeps S, Lupu EC, Sloman M, Sventek J, An Event Service Supporting Autonomic Management of Ubiquitous Systems for e-Health, Intl. Workshop on Distributed Event-Based Systems, 2006  publication

Asmare EA, Dulay N, Kim H, Lupu EC, Sloman M, Management Architecture and Mission Specification for Unmanned Autonomous Vehicles, Systems Engineering for Autonomous Systems Defence Technology Centre Conference, Edinburgh, UK, 2006 PDF

Dulay N, Heeps S, Lupu EC, Sharma O, Sloman M, Sventek J, Autonomic Management for Ubiquitous e-Health Systems, UK e-Science Programme All Hands Conference, Nottingham, Sept. 2005 (AHM2005) PDF

M. Mansouri-Samani, M.Sloman, A Generalised Event Monitoring Language for Distributed Systems, IEE/IOP/BCS Distributed Systems Engineering Journal, vol 4, no 2, June 1997, pp 96-108. PDF

M. Sloman, Management Issues for Distributed Services, Proc. IEEE Second International Workshop on Services in Distributed and Networked Environments (SDNE 95), Whistler, British Columbia, Canada, 5-6 June 1995, IEEE Computer Society Press, pp 52-59. Postcript

M. Sloman,Network and Distributed Systems Management, Addison Wesley, 1994
A reference book of chapters by various authors.

M. Sloman, Domain Management and Accounting in an International Cellular Network Editors: H.-G. Hegering, Y. Yemini
Conference: Proc. IFIP  Third International Symposium on Integrated Network Management, San Francisco, Apr. 1993, North-Holland,
pp 193-206 Postscript

Management Policy

Sloman, M, Lupu, E, Security and management policy specification, IEEE NETWORK, 2002, Vol: 16, Pages: 10 - 19 PDF

L. Lymberopoulos, E. Lupu and M. Sloman. Ponder Policy Implementation and Validation in a CIM and Differentiated Services Framework. IFIP/IEEE Network Operations and Management Symposium (NOMS 2004), Seoul, Korea, April 2004   PDF

L. Lymberopoulos, E. Lupu and M. Sloman An Adaptive Policy Based Framework for Network Services Management, Plenum Press Journal of Network and Systems Management, Special Issue on Policy Based Management, Vol 11, No. 3 Sep. 2003, p277-303 PDF

Lymberopoulos,L., Sloman,M., Using CIM to realize policy validation within the ponder framework (Prize winning paper in the Academic Alliance Competition), DMTF global management conference, San-Jose, California, June 2003, PDF

N. Damianou, N. Dulay, E. Lupu, M. Sloman, T. Tonouchi: Tools for Domain-based Policy Management of Distributed System, IEEE/IFIP Network Operations and Management Symposium (NOMS2002), Florence, Italy, 15-19 April, 2002 PDF

L. Lymberopoulos, E. Lupu and M. Sloman An Adaptive Policy Based Management Framework for Differentiated Services Networks, Proc. 3rd IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2002), Monterey, California, June 2002, pp147-158 PDF

N. Damianou, A. Bandara, M. Sloman, E. Lupu,  A Survey of Policy Specification Approaches, 
 April 2002,  PDF

N. Damianou, N. Dulay, E. Lupu, M Sloman, : The Ponder Specification Language
Workshop on Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol, 29-31 Jan 2001. PDF 

N. Dulay, E. Lupu, M Sloman, N. Damianou, : A Policy Deployment Model for the Ponder Language
An extended version of paper in Proc. IEEE/IFIP International Symposium on Integrated Network Management (IM’2001), Seattle, May 2001, IEEE Press. PDF 

N. Damianou, N. Dulay, E. Lupu, M Sloman: Ponder: A Language for Specifying Security and Management Policies for Distributed Systems
Imperial College Research Report DoC 2001, Oct. 2000  Report-PDF

 E. Lupu, M Sloman, N. Dulay, N. Damianou: Ponder: Realising Enterprise Viewpoint Concepts
4th International Enterprise Distributed Object Computing Conference (EDOC2000), Makuhari, Japan, 25-28 Sept. 2000, pp.66-75 PDF 

E. Lupu and M. Sloman Conflicts in Policy-based Distributed Systems Management
IEEE Transactions on Software Engineering - Special Issue on Inconsistency Management, Vol 25, No. 6  Nov. 1999, pp. 852-869. Pdf file

M.Sloman, E. Lupu  Policy Specification for Programmable Networks
Extended version of paper in Proceedings of First International Working Conference on Active Networks  (IWAN’99), Berlin, June  1999,  ed. S. Covaci, published by Springer Verlag Lecture Notes  in Computer Science Pdf

D. Marriott, M. Sloman, Implementation of a Management Agent for Interpreting Obligation Policy
IEEE/IFIP Workshop on Distributed Systems Operations and Management (DSOM '96), Laquila, Italy, Oct 1996. Postscript

M. Sloman, Policy Driven Management For Distributed Systems, Plenum Press Journal of Network and Systems Management, vol 2, no. 4, Dec. 1994, pp. 333-360 Postscript

J. Moffett, M. Sloman, Policy Hierarchies for Distributed Systems Management
IEEE Journal on Selected Areas in Communications, Vol. 11 No.  9, Dec. 1993, pp. 1404-1414 Postscript

J. Moffett, M. Sloman, User and Mechanism Views of Distributed Systems Management,
IEE/IOP/BCS Distributed Systems Engineering Journal Vol. 1, No.1,  Aug. 1993, pp.37-47 Postscript

Policy Analysis and Refinement

Bandara A, Lupu EC, Russo A, Dulay N, Sloman M, Flegkas P, Charalambides M, Pavlou G, Policy Refinement for DiffServ Quality of Service Management e-Transactions on Network and Service Management, 2006, Vol: 2, No. 2  PDF

Charalambides M, Flegkas P, Pavlou G, Bandara A, Dulay N, Lupu EC, Rubio-Loyola J, Russo A, Sloman M, Dynamic Policy Analysis and Conflict Resolution for DiffServ Quality of Service Management, IFIP/IEEE Network Operations and Management Symposium (NOMS 2006), IEEE Computer Society, 2006  

Kamoda H, Yamaoka M, Matsuda S, Broda K, Sloman M, Access Control Policy Analysis Using Free Variable Tableaux, Information Processing Society of Japan (IPSJ)Digital Courier, 2006, Vol: 2, Pages: 207 - 221  Article

Hiroaki Kamoda, Masaki Yamaoka, Shigeyuki Matsuda, Krysia Broda, and Morris Sloman, Policy Conflict Analysis Using Free Variable Tableaux for Access Control in Web Services Environments, Proc.  Policy Management for the Web, A WWW2005 Workshop 14th International World Wide Web Conference 10 May 2005, Chiba, Japan, May, 2005, pp.5-12. 
available from  http://www.cs.umbc.edu/pm4w/program.html

Hiroaki Kamoda, Akihiro Hayakawa, Masaki Yamaoka, Shigeyuki Matsuda, Krysia Broda, and Morris Sloman, Policy Conflict Analysis Using Tableaux for On Demand VPN Framework, Proceedings of the Sixth IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, Taormina - Giardini Naxos, Italy 13-16 June 2005, IEEE Computer Society, June, 2005, pp.565-569. PDF

A. Bandara, E. Lupu, , A. Russo, N. Dulay, M. Sloman, P. Flegkas, M. Charalambides, G. Pavlou Policy Refinement for DiffServ Quality of Service Management Proceedings 9th IEEE/IFIP Int. Symposium on Integrated Network Management (IM 2005) Nice, France, May 2005. PDF

Marinos Charalambides, Paris Flegkas, George Pavlou, Arosha K Bandara, Emil C Lupu, Alessandra Russo, Naranker Dulay, Morris Sloman, Javier Rubio-Loyola Policy Conflict Analysis for Quality of Service Management Proceedings 6th IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2005) Stockholm, Sweden, June 2005. PDF

E. Lupu and M. Sloman Conflict Analysis for Management Policies, Fifth IFIP/IEEE International Symposium on Integrated Network Management IM'97, San-Diego, May 1997, Chapman & Hall Publishers, pp 430-443. Pdf

Management Roles

E. Lupu, Z. Milosevic and M.S. Sloman Use of Roles and Policies for Specifying, and Managing a Virtual Enterprise Proceedings of the 9th IEEE International Workshop on Research Issues on Data Engineering:  Information Technology for Virtual Enterprises (RIDE-VE'99). March 23-24, 1999, Sydney, Australia. Pdf

E. Lupu and M. Sloman Towards a Role-based Framework for Distributed Systems Management Journal of Network and Systems Management, vol. 5, no. 1, Plenum Press Publishing, 1997, pp 5-30.Pdf

E. Lupu and M. Sloman A Policy Based Role Object Model, First International Enterprise Distributed Object Computing Workshop (EDOC'97), Gold Coast, Queensland, Australia, Oct. 1997, pp 36-47. Pdf

Role Based Access Control,  Security and Trust

Munz G, Fessi A, Carle G, Paul O, Gabrijelcic D, Carlinet Y, Yusuf S, Sloman M, Sagmeister P, Dittmann G, van Lunteren J, DIADEM Firewall: Web Server Overload Attack Detection and Response, Broadband Europe (BBEurope), Bordeaux, France, 2005  PDF

Vrizlynn L. L. Thing, Henry C. J. Lee, Morris Sloman, Traffic Redirection Attack Protection System (TRAPS), 20th IFIP International Information Security Conference (SEC), Makuhari-Messe, Chiba, Japan, May 2005, Kluwer  PDF

Vrizlynn L. L. Thing, Henry C. J. Lee, Morris Sloman, Jianying Zhou, Enhanced ICMP Traceback with Cumulative Path, 61st IEEE Vehicular Technology Conference, Stockholm, Sweden, May 2005 PDF

M. Sloman, Trust Management in Internet and Pervasive Systems, IEEE Intelligent Systems, Vol 19, No5, Sep. 2004, pp 77-79

S.-L.Keoh, E. Lupu and M. Sloman. PEACE : A Policy-based Establishment of Ad-hoc Communities. 
In the Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, USA, © IEEE Computer Society, December 6 - 10, 2004     Pdf

Lee T.K., Yusuf, S., Luk, W., Sloman, M., Lupu, E. and Dulay, N., Irregular Reconfigurable CAM structures for Firewall Applications, Proc. 13th Field Programmable Logic and Applications, Lisbon Sept. 2003, LNCS 2778, Springer. PDF 

Lee T.K., Yusuf, S., Luk, W., Sloman, M., Lupu, E. and Dulay, N. Development framework for firewall processors. Proc. IEEE International Conference on Field-Programmable Technology, 2002, pp. 352-355. PDF

Grandison T., Sloman, M. Specifying and Analysing Trust for Internet Applications
2nd IFIP Conference on e-Commerce, e-Business, e-Government, I3e2002, Lisbon Oct. 2002  PDF

Grandison T, Sloman M, Trust Management Tools for Internet Applications
Proc 1st Int.Conference on Trust Management, May 2003, Crete, Springer LNCS 2692, pp 91-107 Pdf

Grandison T., Sloman, M. A Survey of Trust in Internet Applications,
IEEE Communications and Surveys, Fourth quarter 2000, http://www.comsoc.org/pubs/surveys  PDF, HTML

E. Lupu, M. Sloman, Reconciling Role Based Management and Role Based Access Control, Second Role Based Access Control Workshop (RBAC'97), George Mason University, Virginia, USA, Nov. 1997, pp 135-141.Pdf

N. Yialelis, E. Lupu, M. Sloman Role-Based Security for Distributed Object Systems, IEEE WET-ICE, Standford, 1996. Pdf

Yialelis, N., Sloman, M. A Security Framework Supporting Domain Based Access Control in Distributed Systems,
Internet Society Symposium on Network and Distributed System Security, San Diego, Feb. 1996, Published by IEEE, pp. 26-39. Postscipt

E. Lupu, D. Marriott, M. Sloman, N. Yialelis A Policy Based Role Framework for Access Control, First ACM/NIST Workshop on Role-Based Access Control, Gaithersburg, Maryland, USA, Dec. 1995. Pdf

Mobile and Ubiquitous Computing

See Dan Chalmers Page
Chalmers D, Dulay N,  Sloman M, A Framework For Contextual Mediation in Mobile and Ubiquitous Computing Applied to the Context-Aware Adaptation of Maps, Personal and Ubiquitous Computing, Springer-Verlag, vol.8 no.1, Feb. 2004, pp1-18 pdf

Will Pervasive Computing be Manageable?  
Invited Keynote Talk, HP OpenView 2001, New Orleans, June 2001

Daniel Chalmers, Morris Sloman A Survey of Quality of Service in Mobile Computing Environments IEEE Communications Surveys April, 1999 PDF

Configuration Management

See other related work at IC: Ares ProjectDarwin

K. Krishnakumar, M. Sloman, Constraint-Based Configuration of Proxylets for Programmable Networks
Proc. 8th International Workshop on Interactive Distributed Multimedia Systems (IDMS’2001), Lancaster, UK, 4-7 Sep 2001,Springer LNCS 2158, pp. 245-256 PDF
H. Fossa, M. Sloman Interactive Configuration Management For Distributed Object Systems, IEEE Proc. First International Enterprise Distributed  Object Computing Workshop (EDOC'97), Gold Coast, Queensland, Australia, Oct. 1997, pp 118-128. Pdf

Fossa H., Sloman M. Implementing Interactive Configuration Management for Distributed Systems, Third IEEE Int. Conference on Configurable Distributed Systems, Annapolis, May 1996, pp. 44-51.  Postscript 

Crane S., Dulay N., Fossa H., Magee J., Sloman M. Configuration Management for Distributed Software Services,  Proc. IFIP Int. Symposium on Integrated Network Management (ISINM 95), Santa Barbara, Chapman Hall, May 1995, pp. 29-42. PDF

Recent PhD Theses Supervised

Leonidas Lymberopoulos: An Adaptive Policy Based Framework for Network Management, October 2004
PDF (4MB)

Tyrone Grandison: Trust Management for Internet Applications, July 2003
PDF

Dan Chalmers: Contextual Mediation to Support Ubiquitous Computing, August 2002
AbstractPDF

Nicodemos Damianou: A Policy Framework for Management of Distributed Systems, March 2002
Abstract,   PDF

Emil Lupu: A Role-Based Framework for Distributed Systems Management, July 1998
Abstract, PDF

Damian Marriott: Policy Service for Distributed Systems, Oct. 1997
Abstract,   Postscript

Hall Fossa: Interactive Configuration Management for Distributed Systems,  Sep. 1997
AbstractPostscript

Mark Nuttall: Cluster Load Balancing using Process Migration, Aug. 1997
AbstractPostscript

Nicholas Yialelis: Domain-Based Security for Distributed Object Systems, Oct. 1996
Abstract Postscript 

Masoud Mansouri-Samani: Monitoring of Distributed Systems, Dec. 1995
AbstractPostscript

Abstracts

Halldor Fossa  PhD Thesis

PhD Thesis: Interactive Configuration Management for Distributed Systems

Publisher: Dept. of Computing, Imperial College, London
Date: Sep. 1997
URL (compressed postscript): http://www-dse.doc.ic.ac.uk/dse-papers/management/FOSSA-THESIS.PS.GZ

Abstract

Distributed software systems are growing in complexity as organisations demand more functionality from their systems. Large, long-running applications cannot be shut down for maintenance, and changes must be introduced dynamically to a running system. Such operational and evolutionary changes require that external, run-time managers can view and interactively modify the structure of an application. This thesis focuses on configuration management in terms of the components of a software system, their interconnecting bindings and the allocation of component instances to physical hosts. A configuration language is often used to describe composite components which define the initial application structure. This thesis presents an environment which extends this approach by allowing interactive configuration management of running applications. This approach is integrated with a general-purpose management environment based on domains for grouping and partitioning managed objects. Key features presented include: • Integration with Configuration Language. The environment supports the Darwin configuration language concepts of component composition, instantiation and binding. A component instance and the software interfaces it provides and requires are represented by a configuration domain. Once a programmed configuration has been created, its hierarchical structure and interfaces are fully represented in the domain management environment, so that they can be monitored and reconfigured on-line using a suite of management tools. • Support for Interactive Creation and Binding. New components can be created and integrated into running configurations in different ways. Where a component requires an external service, it can be bound interactively to services provided by other components. Safe rebinding is synchronised with the application component which decides when the old binding is no longer needed. All binding forms and rebinding stages are visualised in the management environment. • Graphical Management Environment. The presented management architecture includes a domain browser, which displays (configuration) domain hierarchy. It supports general-purpose invocation of interfaces in domains, and can be used for many forms of management, including configuration. An on-line, configuration manager shows the components and bindings in a composite component, and supports graphical configuration evolution and maintenance. • Persistent Configurations. The environment encompasses a facility for saving persistent representations of a running configuration to disk, and can be used to detect and display failed or unreachable components. The structural aspects of failed composites can be recreated along with the primitive application components, which can only be made persistent explicitly by programmers. Examples are given of the use of the tools in typical configuration scenarios, and the implementation architecture based on a CORBA platform is described.

Nicholas Yialelis  PhD Thesis

Domain-Based Security for Distributed Object Systems

Date: Oct. 1996
Publisher: Imperial College, Dept. of Computing
URL (compressed postscript): http://www-dse.doc.ic.ac.uk/dse-papers/security/ny_thesis.tar.gz

Abstract

Advances in telecommunications technology have resulted in the proliferation of large distributed systems in commercial environments. Distributed systems, however, are vulnerable to unauthorised access to resources and compromise of information, either in terms of integrity or confidentiality. Furthermore, a distributed system may contain a large number of objects that are mutually suspicious making it hard to specify security policy. In addition, such a system may cross organisational boundaries necessitating decentralised security management. This thesis proposes a security architecture for distributed object systems that supports access control services based on the concept of a domain. Domains can be used to group objects in a hierarchical structure, to apply a common security policy, to reflect organisational or geographical structure, or to partition the security management in order to cope with the complexity of large distributed systems. An access control policy specifies, in terms of domains, what operations a set of subjects is permitted to perform on a set of targets. In a distributed system, however, a client often delegates access rights to a proxy server to perform operations on behalf of the client. As delegation of access rights should be controlled, the notion of the access control policy has been extended to deal with cascaded delegation. The security architecture provides a high degree of access control and authentication transparency to the application level by utilising security agents on each host. A policy dissemination mechanism has been developed to propagate policies through hierarchical domain structures to the agents of the concerned objects and deal with changes in the domain structure. The access control mechanism, which is based on the Access Control List (ACL) paradigm, enforces access control policies specified in terms of domains and deals with cascaded delegation of access rights. As the access control decisions are based on domain membership, there is a need to efficiently authenticate domain membership as well as object and user identity. The proposed intra-realm authentication system is based on symmetric cryptography to minimise the encryption/decryption overhead. Verification of domain membership is based on statements issued by the domain service and translated by the authentication system into the keys of the verifiers. Similarly, verification of delegation is based on delegation tokens issued by the grantors and translated into the keys of the end-points.

Keywords: access control, authentication, delegation, domains, security


Mark Nuttall PhD Thesis

Cluster Load Balancing using Process Migration

Date: Aug. 1997
Publisher: Dept. of Computing, Imperial College, London
URL (compressed postscript): http://www-dse.doc.ic.ac.uk/dse-papers/migration/migration-thesis.ps.gz

Abstract

Is process migration useful for load balancing? We present experimental results indicating that the answer to this question depends largely on the characteristics of the applied workload. Experiments with our {\em Shiva} system, which supports remote execution and process migration, show that only those CPU-bound workloads which were generated using a highly unrealistic exponential distribution for execution times show improvements for dynamic load balancing. (We use the term `dynamic' to indicate remote execution determined at and not prior to run time. The latter is known as `static' load balancing.) Using a more realistic workload distribution and adding a number of short-lived tasks significantly reduces dynamic algorithms' performance. Migration is only useful as a tool for balancing CPU-bound tasks with het erogeneous workloads. We find the migration of executing tasks to remote data to be effective for balancing I/O-bound workloads. Dynamic algorithms are of no use in this situation as they do not have prior knowledge of a task's function. We indicate the region of `workload variable space' for which this migrate-to-data approach is useful. This thesis also contains a comprehensive survey of the state of load balancing research including process migration mechanism design decisions, load balancing policy interactions, numerical indices for making and assessing the effectiveness of load balancing decisions and some important issues concerning the generation and relevance of synthetic workloads. We present a generic and flexible load balancing harness capable of supporting a wide range of experimental configurations.

Keywords: Load Balancing, Process Migration


Damian Marriott PhD Thesis

Policy Service for Distributed Systems

Date: Oct. 1997
Publisher: Department of Computing, Imperial College, London
URL (compressed postscript): http://www-dse.doc.ic.ac.uk/dse-papers/management/marriott_thesis.ps.gz

Abstract

The ever-increasing size and complexity of large distributed systems makes management of the system very difficult. This thesis describes a novel policy notation supported by a policy service which permits flexible evolution of the management system. The policies are interpreted by automated managers and so can be easily modified or changed without shutting down or reprogramming the managers. Policies define the overall strategy of the management system and hence influence its behaviour. Obligation policies specify what activities a manager must perform, and authorisation policies specify what activities a manager is permitted to do. The policy service enables policies to be specified independent of the distributed agents which interpret them, thus enabling dynamic change of policies and reuse of these agents with different policies. Graphical tools are provided for specifying and interactively manipulating (distributing, enabling, disabling and removing) policies. The policy notation can be used to express both high-level (abstract) and more refined low-level (concrete) policies, and support is provided for specifying and maintaining a hierarchical refinement relationship between policies. Examples given in the thesis will show that the notation is widely applicable, to areas such as network management (e.g. traffic control), application management (e.g. licensing) and security (access control). Policies are represented as objects which specify relationships between subjects (managers) and targets (managed objects). Domains are used to group objects to which a policy applies. A policy is specified in terms of subject and target domain scope expressions, with the policy applying between all objects in the resulting sets, thus obviating the need to specify separate policies for individual objects. Changes in domain membership dynamically affect the set of objects to which the policies apply. Policies can have constraints limiting their applicability. Policy objects themselves can have policies specified about them, so that, for instance, authorisation policies can be used to control access to policy objects. The policy service, tools and interpreters are implemented using a CORBA-compliant distributed platform and Tcl/Tk which provides the interpreted and graphical environments.

Masoud Mansouri-Samani PhD Thesis

Monitoring of Distributed Systems

Date: December 1995
Publisher: Department of Computing, Imperial College, London
URL (compressed postscript): http://www-dse.doc.ic.ac.uk/dse-papers/management/Massoud-thesis.ps.Z

Abstract

Monitoring is essential for obtaining the required information about the operation of distributed systems in order to make management decisions and control their behaviour. This thesis presents a generic model of monitoring based on the life-cycle of monitoring information which consists of four stages - generation, processing, dissemination and presentation. A generalised monitoring service for distributed systems can be constructed as a configuration of generic components which can perform the functionalities identified in the model. Based on the model a survey of the area is presented and some representative existing approaches are described in detail.

The main contribution of this thesis is the support for a flexible and scalable distributed event monitoring service. In particular, this thesis presents features of a new declarative, interpreted and Generalised Event Monitoring language (GEM), used to program event monitors which can perform common processing activities such as filtering, composition and notification on event reports generated in a distributed system. The novelty of this work can be summarised as follows:

It allows on-the-fly detection of composite events in the presence of variable communication delays and unordered delivery of messages. The notion of real-time has been tightly integrated into the language with built-in facilities to deal with delays in a flexible and user-defined manner. Many temporal constraints which would otherwise have been very difficult to express in a distributed environment can be specified.

The interpreted nature of the language allows dynamic changes to the observed composite events. It is shown that a scalable, dynamic and distributed event processing service can be constructed as a configuration of multiple event monitors which can receive and interpret appropriate GEM scripts. This thesis describes the implementation of the event monitor and presents examples implemented in the prototype version of GEM.

 

Nicodemos Damianou PhD Thesis

A Policy Framework for Management of Distributed Systems

Department of Computing, Imperial College

March 2002

Policy-based management is one of the latest developments in network and distributed systems management. Academic and commercial settings, as well as standardisation bodies are concentrating on policy-based management as a very promising solution for managing large-scale distributed systems. The use of policy-based management in areas such as security is particularly attractive. The introduction of new technologies (e.g. active networks, mobile agents) and the use of the Internet for providing services to customers, increase the security concerns associated with today’s networked environments. Security management involves specification and deployment of access control policies as well as activities such as registration of users or logging and auditing events for dealing with access to critical resources or security violations. The management actions to be performed when an event occurs depend on the enterprise policy.

The need is evident for a policy language to support the specification of access control and other management policies. In this thesis we propose a policy framework to support security and management of distributed systems. The framework consists of a policy specification language, an architecture for deploying policies based on the language and a set of tools for specifying and managing policies. In conjunction with the language, the toolkit permits integrated administration of resources, people and policy information with automated policy deployment. The toolkit comprises an Integrated Development Environment (IDE) with a policy compiler, as well as tools for managing policies and roles at runtime.

The policy language is a declarative, object-oriented language for specifying security and management policies for distributed object systems. The language is flexible, expressive and extensible to cover the wide range of requirements implied by the current distributed systems paradigms. It includes support for access control policies, and delegation to cater for temporary transfer of access rights to agents acting on behalf of a client. The language also supports policies to express management activity, which take the form of event-triggered rules called obligation policies. Domains are used to facilitate the specification of policies relating to large systems with millions of objects; policies are specified for collections of objects stored in domains instead of individual objects, thus allowing for scalability and flexibility. Composite policies are included to allow the basic security and management policies relating to roles, organisational units and specific applications to be grouped together. Composite policies are essential to cater for the complexity of policy administration in large enterprise information systems. Application specific constraints on groups of policies can be specified using meta-policies. The language is easy to use by policy users, and we use a structural operational semantics approach to specify its formal semantics.