Changes between Version 1 and Version 2 of T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel


Ignore:
Timestamp:
08/09/08 11:43:37 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel

    v1 v2  
    22 
    33== ESG - NDG Security Use Cases == 
     4 1. Login and Authorization (using push and pull model for user attribute handling) 
     5 1. User Registration for new Dataset.  (User attribute assignment) 
    46 
    5 === Login, Attribute Request and Authorization (using push and pull model for user attribute handling) === 
     7=== Login and Authorization (using push and pull model for user attribute handling) === 
    68 
    79==== Description ==== 
     
    2224 a. BADC site serving secured dataset datasetA. 
    2325 a. BADC PDP (Policy Decision Point), a service that makes an access control decision based on the attributes controlling access to a given resource and the user attributes available.  (Is this a Resource Policy Service in ESG terminology?) 
    24  a. BADC PEP (Policy Enforcement Point) or gatekeeper.  This enforces access control decisions for a given resource or resources.  It makes a request to a PDP to make an access control decision and then enforces that decision by allowing or denying access. 
     26 a. BADC PEP (Policy Enforcement Point) or gatekeeper.  This enforces access control decisions for a given resource or resources.  It makes a request to a PDP to make an access control decision and then enforces that decision by allowing or denying access.   
    2527 a. BADC Attribute Service responsible for access attribute assignment.  This site: 
    26    * hosts an authorization where users can register, agree to terms and be allocated the AR5 access attribute to their personal profile. 
    27    * Has a service which can contact the user's IdP and request to add or remove the the AR5 attribute from the user's profile. 
     28   * hosts an authorization where users can register, agree to terms and be allocated the attribute attributeA; 
     29   * has a service which a PDP can invoke to find out if a given user has registered for attributeA 
    2830 
    2931==== Assumptions ==== 
     
    4749 1. The NCAR may prompt the user to check that they agree to certain attributes being pushed back to the BADC site. 
    4850 1. The NCAR IdP redirects the browser back to the BADC site passing user attributes in addition to the usual OpenID protocol message response content. 
    49  1. The BADC site's PEP 
     51 1. The BADC site's PEP is invoked to allow or deny access to the resource. 
     52 1. The PEP passes the NCAR user's attributes to the BADC PDP so that it can make an access control decision. 
     53 1. The PDP checks the user's attributes to see if attributeA is present. 
     54 1. attributeA is not present so the PDP queries the BADC Attribute Service passing the user's ID. 
     55 1. The BADC Attribute Service checks to see if the NCAR user is registered with attributeA. 
     56 1. The Attribute Service returns a response to the PDP that the NCAR user is registered for attributeA. 
     57 1. The PEP grants access to the data. 
     58 1. Download of datasetA commences for the NCAR user. 
     59 
    5060 1. ESG gateway e) redirects the user's browser to the authorization request form hosted at the Gateway f). 
    5161 1. The user completes details, agrees to the terms of a usage policy, submits and awaits a response.