Changes between Version 2 and Version 3 of T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel


Ignore:
Timestamp:
08/09/08 11:46:33 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel

    v2 v3  
    22 
    33== ESG - NDG Security Use Cases == 
     4 1. User Registration for new Dataset.  (User attribute assignment) 
    45 1. Login and Authorization (using push and pull model for user attribute handling) 
    5  1. User Registration for new Dataset.  (User attribute assignment) 
    66 
    7 === Login and Authorization (using push and pull model for user attribute handling) === 
     7=== User Registration for new Dataset === 
    88 
    99==== Description ==== 
     
    1313 
    1414==== Actors ==== 
    15  a. siteA owns the resource and the ultimate access policy that is enforced on that resource. 
    16  a. SiteB hosts an IdP for a user's !OpenID 
    17  a. siteC's for the user's registration and VO-attributes/access-policy,  
    18  
    19  
    2015 a. NCAR User i.e. user belongs to a member organisation of the ESG federation. 
    2116 a. Client browser 
     
    4035==== Outcome ==== 
    4136User is granted authorization to access secured AR5 data from ESG site. 
     37 1. ESG gateway e) redirects the user's browser to the authorization request form hosted at the Gateway f). 
     38 1. The user completes details, agrees to the terms of a usage policy, submits and awaits a response. 
     39 1. According to the approval criteria, the user is granted or denied the AR5_ACCESS attribute. 
     40 1. If approved, Gateway f) invokes a service running at the BADC IdP making a request to update the user's profile adding AR5_ACCESS to it's list of authorization attributes. 
     41 1. The BADC IdP sends a response to Gateway f) indicating that the user's profile has been updated.  The user may now  access data secured with the AR5_ACCESS attribute. 
     42 
     43 
     44=== Login and Authorization (using push and pull model for user attribute handling) === 
     45 
     46==== Description ==== 
     47Browser based federated access to secured AR5 data and allocation of AR5 access rights to a registered user.  A draft based on Section C 3d) of the Architectural Assumptions document (v0.3) 
     48 
     49This use case is based on the proposed ESG architecture for user attribute assignment.  Particular ESG gateways have responsibility for attribute assignment to users.  '''Key to this use case, these gateways have the capability to invoke a service at the user's IdP and add or remove the given ESG attribute(s) for which they have authority.''' 
     50 
     51==== Actors ==== 
     52 a. NCAR User i.e. user belongs to a member organisation of the ESG federation. 
     53 a. Client browser 
     54 a. NCAR IdP (Identity Provider or in the language of OpenID an 'OpenID Provider' where the NCAR user is registered) 
     55 a. NCAR user profile.  A set of information about the NCAR user held by the NCAR IdP.  This could be for example a database record. 
     56 a. BADC site serving secured dataset datasetA. 
     57 a. BADC PDP (Policy Decision Point), a service that makes an access control decision based on the attributes controlling access to a given resource and the user attributes available.  (Is this a Resource Policy Service in ESG terminology?) 
     58 a. BADC PEP (Policy Enforcement Point) or gatekeeper.  This enforces access control decisions for a given resource or resources.  It makes a request to a PDP to make an access control decision and then enforces that decision by allowing or denying access.   
     59 a. BADC Attribute Service responsible for access attribute assignment.  This site: 
     60   * hosts an authorization where users can register, agree to terms and be allocated the attribute attributeA; 
     61   * has a service which a PDP can invoke to find out if a given user has registered for attributeA 
     62 
     63==== Assumptions ==== 
     64 * Use case for browser based access 
     65 * user is not logged in to NCAR site 
     66 * user doesn't have authorization for AR5 access 
     67 * control to AR5 data is governed by a federation wide attribute called ''AR5_ACCESS''. 
     68 
     69==== Triggers ==== 
     70A user attempts to access a secured datasetA from the BADC site. 
     71 
     72==== Outcome ==== 
     73NCAR user is granted access secured datasetA from BADC site. 
    4274 
    4375==== Normal Course ==== 
     
    5789 1. The PEP grants access to the data. 
    5890 1. Download of datasetA commences for the NCAR user. 
    59  
    60  1. ESG gateway e) redirects the user's browser to the authorization request form hosted at the Gateway f). 
    61  1. The user completes details, agrees to the terms of a usage policy, submits and awaits a response. 
    62  1. According to the approval criteria, the user is granted or denied the AR5_ACCESS attribute. 
    63  1. If approved, Gateway f) invokes a service running at the BADC IdP making a request to update the user's profile adding AR5_ACCESS to it's list of authorization attributes. 
    64  1. The BADC IdP sends a response to Gateway f) indicating that the user's profile has been updated.  The user may now  access data secured with the AR5_ACCESS attribute. 
    65