Changes between Version 30 and Version 31 of T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel


Ignore:
Timestamp:
08/09/08 15:27:29 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel

    v30 v31  
    3131 a. BADC PDP (Policy Decision Point), a service that makes an access control decision based on the attributes controlling access to a given resource and the user attributes available.  (''Is this a Resource Policy Service in ESG terminology?'') 
    3232 a. BADC PEP (Policy Enforcement Point) or gatekeeper (''name for this in ESG terms?'').  This enforces access control decisions for a given resource or resources.  It does so by requesting that a PDP make an access control decision on its behalf.  It then enforces that decision by allowing or denying access.   
    33  a. BADC Attribute Service responsible for attribute assignment and querying.  This service: 
     33 a. AttributeServiceA responsible for attribute assignment and querying.  This service: 
    3434   * enables a user to register for access to datasetA, agree to terms and be allocated the attribute attributeA which determines access to datasetA; 
    3535   * has a service which a PDP can invoke to find out if a given user has registered for attributeA 
     
    3939 * The user is not logged in to the NCAR or BADC sites 
    4040 * Control to ''datasetA'' is governed by an attribute ''attributeA''. 
    41  * The user is registered with ''attributeA'' at the BADC Attribute Service. 
     41 * The user is registered with ''attributeA'' at the AttributeServiceA. 
    4242 
    4343==== Triggers ==== 
     
    5959 1. The PEP passes the NCAR user's attributes to the BADC PDP so that it can make an access control decision. 
    6060 1. The PDP checks the user's attributes to see if attributeA is present. 
    61  1. attributeA is not present so the PDP queries the BADC Attribute Service passing the user's ID. 
    62  1. The BADC Attribute Service checks to see if the NCAR user is registered with attributeA. 
     61 1. attributeA is not present so the PDP queries the AttributeServiceA passing the user's ID. 
     62 1. The AttributeServiceA checks to see if the NCAR user is registered with attributeA. 
    6363 1. The Attribute Service returns a response to the PDP that the NCAR user is registered for attributeA. 
    6464 1. The PEP grants access to the data. 
     
    7171 
    7272==== Description ==== 
    73 This is an extension of the last use case using the same trigger point but in this scenario the user is not registered for access to datasetA.  The use case continues from point 13) of the last use case but with the assumption that access was denied because the user is not registered with BADC Attribute Service for access. 
     73This is an extension of the last use case using the same trigger point but in this scenario the user is not registered for access to datasetA.  The use case continues from point 13) of the last use case but with the assumption that access was denied because the user is not registered with AttributeServiceA for access. 
    7474 
    7575==== Actors ==== 
     
    8181 a. BADC PDP (Policy Decision Point), a service that makes an access control decision based on the attributes controlling access to a given resource and the user attributes available.  (''Is this a Resource Policy Service in ESG terminology?'') 
    8282 a. BADC PEP (Policy Enforcement Point) or gatekeeper (''name for this in ESG terms?'').  This enforces access control decisions for a given resource or resources.  It do so by requesting that a PDP make an access control decision on its behalf.  It then enforces that decision by allowing or denying access.   
    83  a. BADC Attribute Service responsible for access attribute assignment.  This site: 
     83 a. AttributeServiceA responsible for access attribute assignment.  This site: 
    8484   * hosts an attribute request form where users can register, agree to terms and be allocated the attribute attributeA to enable them to access datasetA; 
    8585   * has a service which a site hosting datasetA data can invoke to find out if a given user is registered for attributeA 
     86   * may be hosted by the BADC or could be hosted by another organization in the ESG federation.  For whichever is the case, the site hosting the Attribute Service is the one responsible for registering users for attributeA. 
    8687 
    8788==== Assumptions ==== 
     
    102103 1. The BADC site redirects the user's browser to a registration form hosted at the BADC. 
    103104 1. The user completes details, agrees to the terms of a usage policy, submits and awaits a response. 
    104  1. The details from the form are submitted to the BADC Attribute Service (The Attribute Service could itself host the form) 
     105 1. The details from the form are submitted to the AttributeServiceA (The Attribute Service could itself host the form) 
    105106 1. The user is approved for access to datasetA.  (This may be an immediate decision or it may require submission to an approval panel). 
    106107 1. When approved, the Attribute Service creates a user profile for this user containing attributeA.