This paper presents a security architecture for computational grids, addressing the unique security challenges of large-scale distributed computing. The architecture is implemented within the Globus metacomputing toolkit. The paper outlines the security requirements of grid systems, including authentication, access control, integrity, privacy, and nonrepudiation. It proposes a security policy that supports single sign-on, interoperability with local policies, and dynamically varying resource requirements. The policy focuses on authentication of users, resources, and processes and supports various authentication mechanisms. The paper also describes a security architecture and associated protocols that implement this policy. A concrete implementation of the architecture is discussed, along with experiences deploying it on a large grid testbed. The architecture is designed to be flexible and general enough to be applicable outside the Globus context. The paper makes four contributions to the understanding of distributed system security: (1) an in-depth analysis of the security problem in computational grid systems; (2) the first detailed formulation of a security policy for grid systems; (3) solutions to specific technical issues raised by this policy; and (4) a security architecture that uses these solutions to implement the security policy, demonstrating its workability through large-scale deployment. The security policy is structured to avoid bulk privacy and instead focus on enabling the integration of diverse local security policies. The architecture includes user proxies and resource proxies, which facilitate secure communication and resource allocation. The paper also discusses the use of the Generic Security Services application programming interface (GSS-API) and Secure Socket Layer (SSL) in the implementation. The security architecture has been deployed in a large grid testbed, demonstrating its effectiveness in supporting secure grid computing.This paper presents a security architecture for computational grids, addressing the unique security challenges of large-scale distributed computing. The architecture is implemented within the Globus metacomputing toolkit. The paper outlines the security requirements of grid systems, including authentication, access control, integrity, privacy, and nonrepudiation. It proposes a security policy that supports single sign-on, interoperability with local policies, and dynamically varying resource requirements. The policy focuses on authentication of users, resources, and processes and supports various authentication mechanisms. The paper also describes a security architecture and associated protocols that implement this policy. A concrete implementation of the architecture is discussed, along with experiences deploying it on a large grid testbed. The architecture is designed to be flexible and general enough to be applicable outside the Globus context. The paper makes four contributions to the understanding of distributed system security: (1) an in-depth analysis of the security problem in computational grid systems; (2) the first detailed formulation of a security policy for grid systems; (3) solutions to specific technical issues raised by this policy; and (4) a security architecture that uses these solutions to implement the security policy, demonstrating its workability through large-scale deployment. The security policy is structured to avoid bulk privacy and instead focus on enabling the integration of diverse local security policies. The architecture includes user proxies and resource proxies, which facilitate secure communication and resource allocation. The paper also discusses the use of the Generic Security Services application programming interface (GSS-API) and Secure Socket Layer (SSL) in the implementation. The security architecture has been deployed in a large grid testbed, demonstrating its effectiveness in supporting secure grid computing.