wiki:TI12_Security/NDG/UseCases/NewUserRegistration

Version 1 (modified by pjkersha, 12 years ago) (diff)

--

New User Registration

Description

The steps required for a new data provider to deploy NDG Security

Actors

  • Data Provider
  • Data Provider systems administrator responsible for user accounts
  • Data Provider User Registration interface e.g. browser and CGI script, from a command line or from some other application
  • Session Manager WS
  • Data Provider user - roles interface e.g. a user database with tables for roles and usernames.
  • MyProxy
  • NDG !SimpleCA WS

Assumptions

Data provider has security policy for user registration. e.g. Does the data provider need to validate the identity of new users and if so how?

Triggers

A new user wishes to register an account with the data provider.

Outcome

New account created for user: a public/private key has been created for them and uploaded into the MyProxy repository and appropriate roles have been allocated to them.

Normal Course

  1. User / systems administrator enters user details including new username and pass-phrase and information to enable the data provider to determine what access rights to resources the user will be entitled to.
  2. Systems administrator carries out validation checks on user identity as dictated by data provider security policy.
  3. If user identity is accepted, the user registration interface is invoked with the username and pass-phrase for the new user.
  4. It calls the Session Manager WS with the username and pass-phrase.
  5. The Session Manager WS calls its MyProxy interface to generate a public/private key and certificate request for the user's new X.509 certificate. The certificate request document is digitally signed by the Session Manager and is then sent to the !SimpleCA WS for processing.
  6. !SimpleCA WS receives the request for the new certificate and checks its XML signature. If it is OK, the SimpleCA issues a new certificate and sends it back to the Session Manager.
  7. On receipt of the new the certificate the Session Manager MyProxy interface adds the new certificate and private key to the MyProxy repository.
  8. Session Manager WS returns a message to its WS client indicating that MyProxy registration has been completed successfully.
  9. Username is added to the data provider's user roles interface e.g. a site user database. The user is allocated appropriate roles according to the access rights to resources are deemed appropriate.
  10. The user is notified of successful registration of their account.