Changes between Version 4 and Version 5 of T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel


Ignore:
Timestamp:
08/09/08 12:17:12 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel

    v4 v5  
    55 1. Login and Authorization (using push and pull model for user attribute handling) 
    66 
     7[[BR]] 
     8[[BR]] 
     9[[BR]] 
     10[[BR]] 
     11[[BR]] 
     12[[BR]] 
     13[[BR]] 
     14 
     15 
     16---- 
     17 
    718=== User Registration for new Dataset (User attribute assignment) === 
    819 
    920==== Description ==== 
    10 Browser based federated access to secured AR5 data and allocation of AR5 access rights to a registered user.  A draft based on Section C 3d) of the Architectural Assumptions document (v0.3) 
    11  
    12 This use case is based on the proposed ESG architecture for user attribute assignment.  Particular ESG gateways have responsibility for attribute assignment to users.  '''Key to this use case, these gateways have the capability to invoke a service at the user's IdP and add or remove the given ESG attribute(s) for which they have authority.''' 
     21This use case describes the browser based profile for a user to register to access a new dataset. 
    1322 
    1423==== Actors ==== 
     
    1827 a. NCAR user profile.  A set of information about the NCAR user held by the NCAR IdP.  This could be for example a database record. 
    1928 a. BADC site serving secured dataset datasetA. 
    20  a. BADC PDP (Policy Decision Point), a service that makes an access control decision based on the attributes controlling access to a given resource and the user attributes available.  (Is this a Resource Policy Service in ESG terminology?) 
    21  a. BADC PEP (Policy Enforcement Point) or gatekeeper.  This enforces access control decisions for a given resource or resources.  It makes a request to a PDP to make an access control decision and then enforces that decision by allowing or denying access.   
    2229 a. BADC Attribute Service responsible for access attribute assignment.  This site: 
    23    * hosts an authorization where users can register, agree to terms and be allocated the attribute attributeA; 
    24    * has a service which a PDP can invoke to find out if a given user has registered for attributeA 
     30   * hosts an attribute request form where users can register, agree to terms and be allocated the attribute attributeA to enable them to access datasetA; 
     31   * has a service which a site hosting datasetA data can invoke to find out if a given user is registered for attributeA 
    2532 
    2633==== Assumptions ==== 
    2734 * Use case for browser based access 
    2835 * user is not logged in to NCAR site 
    29  * user doesn't have authorization for AR5 access 
    30  * control to AR5 data is governed by a federation wide attribute called ''AR5_ACCESS''. 
     36 * user doesn't have authorization for datasetA access 
     37 * control to datasetA is governed by an attribute called attributeA. 
    3138 
    3239==== Triggers ==== 
    33 A user attempts to access a secured AR5 dataset from the BADC site. 
     40A user requires access to datasetA from the BADC site. 
    3441 
    3542==== Outcome ==== 
    36 User is granted authorization to access secured AR5 data from ESG site. 
    37  1. ESG gateway e) redirects the user's browser to the authorization request form hosted at the Gateway f). 
     43User is granted access rights to secured datasetA data from BADC site. 
     44 
     45==== Normal Course ==== 
     46 1. The BADC site redirects the user's browser to the authorization request form hosted at the BADC. 
    3847 1. The user completes details, agrees to the terms of a usage policy, submits and awaits a response. 
    39  1. According to the approval criteria, the user is granted or denied the AR5_ACCESS attribute. 
    40  1. If approved, Gateway f) invokes a service running at the BADC IdP making a request to update the user's profile adding AR5_ACCESS to it's list of authorization attributes. 
    41  1. The BADC IdP sends a response to Gateway f) indicating that the user's profile has been updated.  The user may now  access data secured with the AR5_ACCESS attribute. 
     48 1. The details from the form are submitted to the BADC Attribute Service. 
     49 1. The user is approved for access to datasetA.  (This may an immediate decision or it may require submission to an approval panel). 
     50 1. When approved, the Attribute Service creates a user profile for this user containing attributeA. 
     51 1. If approval is immediate, the BADC can redirect the NCAR user to the page for datasetA download. 
     52 1. If approval requires submission to an approval panel, then the BADC site lets the user know that this is the case and that they will be informed of a decision by e-mail (or other means). 
    4253 
     54---- 
    4355 
    4456=== Login and Authorization (using push and pull model for user attribute handling) === 
     
    4759Browser based federated access to secured AR5 data and allocation of AR5 access rights to a registered user.  A draft based on Section C 3d) of the Architectural Assumptions document (v0.3) 
    4860 
    49 This use case is based on the proposed ESG architecture for user attribute assignment.  Particular ESG gateways have responsibility for attribute assignment to users.  '''Key to this use case, these gateways have the capability to invoke a service at the user's IdP and add or remove the given ESG attribute(s) for which they have authority.''' 
     61This use case is based on the proposed ESG architecture for user attribute assignment.  Particular ESG gateways have responsibility for attribute assignment to users.   
    5062 
    5163==== Actors ====