MSO and multiple communities

[Guy Rixon]

On Wed, 7 Jul 2004, Martin Hill wrote:

> Guy Rixon wrote:
> > On Wed, 7 Jul 2004, Martin Hill wrote:
> >>
> >>I got the impression that groups allow a coarse-grained approach to
> >>assigning privileges and avoid having to track huge numbers of
> >>individuals.  Groups can span communities and so separate assigning
> >>privilege from trust.  That way we don't need to ask data providers to
> >>assign vast numbers of individual privileges.  I'm a bit out of touch
> >>though :-(
> >
> >
> > Yes, this is the purpose of groups.  However, when controlling access to files
> > owned by individuals - think of VOSpace - groups don't avoid the need to
> > authorize at the individual level.
>
> I can see that we will want to allow fine-grained privileges too. In the case of
> store space, this is automatic, and individuals look after their own files (and
> who they publish too).  I was more concerned that Wil seems to be saying that we
> would be asking data providers to assign privileges on an individual basis for
> restricted data?

I don't think that IVOA is requiring this.

The current position seems to be that you need to prove an individual identity
in order to prove a group membership in order to prove authorization.

Services will also need individual identities for logging.

In Wil's MyDB system, data are owned by individuals, so authorization has to
be at the individual level.  This is because it's a read-write system.  In a
read-only archive, authorization at group level is still OK in most cases.  In
the cases where it isn't, the operator of the archive will want the
finer-grained authorization to achive their own ends.

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523