Version 8 (modified by ots, 16 years ago)

--

Security or rights management information

Objective

Minimal information that should be provided by the client to allow the service to known who is trying to use it to ensure the protection of shared resources.

Motivation

Scenary: Dynamic access control & secure management over federated resources.

General security architecture

Simplified use case: · After registration the user connects to the portal and creates delegated credentials on a MyProxy? repository. Delegation is achieved by the use of so called proxy credentials. · Through the portal the end user uses the different services (including WFs). When a service is called, the user is authenticated through the proxy certificates managed by the MyProxy? service. · Services can depend on a central authorisation service to determine whether or not the user is allowed to perform a certain operation or whether he is allowed to see specific data. · Services offering access to sensitive data should do additional authorisation decision requests to some Authorization Service that implements the Data Protection policies and governs the flow of private datasets.

  • Resources protection: software (services, WFs, …) availability, computational resources (CPU, storage, …); data access restrictions
  • Protection / Sharing of proprietary data (in a persistence system).
  • Scheduling: priority based system.

Security services enforce access control policies at all levels to provide secure authentication and communication over an open network.

State of the art

Discussion space

  • Authorization levels
  • Interchanging protocols (formats)
  • Authentication & delegation: Authentication, both of end-user and of infrastructure components, could based on X509 digital certificates. This proven technology is commonly used, for example when connecting to a secure website (https). Certificates are managed through a Public Key Infrastructure (PKI), which deals with the secure creation, validation and revocation of certificates.

MyProxy delegation example

  • WFs concerns
  • Profiling offer deployment (specific to the user rights)

Attachments