MSO and multiple communities

[Tony Linde]

> In Wil's MyDB system, data are owned by individuals, so 
> authorization has to be at the individual level.  This is 
> because it's a read-write system.  In a read-only archive, 
> authorization at group level is still OK in most cases.  In 
> the cases where it isn't, the operator of the archive will 
> want the finer-grained authorization to achive their own ends.

Just to be clear though, this does not mean that individuals or groups or
indeed anyone but the VOSpace management system needs any level of access to
the data in the MyDB database. On the physical system, no accounts at all
are necessary since no-one has _direct_ access to any data, whether file- or
dbms-based: all access is mediated through some management system.

Cheers,
Tony. 

> -----Original Message-----
> From: owner-grid at eso.org [mailto:owner-grid at eso.org] On 
> Behalf Of Guy Rixon
> Sent: 07 July 2004 11:32
> To: Martin Hill
> Cc: 'Grid and WebServices'
> Subject: Re: MSO and multiple communities
> 
> On Wed, 7 Jul 2004, Martin Hill wrote:
> 
> > Guy Rixon wrote:
> > > On Wed, 7 Jul 2004, Martin Hill wrote:
> > >>
> > >>I got the impression that groups allow a coarse-grained 
> approach to 
> > >>assigning privileges and avoid having to track huge numbers of 
> > >>individuals.  Groups can span communities and so separate 
> assigning 
> > >>privilege from trust.  That way we don't need to ask data 
> providers 
> > >>to assign vast numbers of individual privileges.  I'm a 
> bit out of 
> > >>touch though :-(
> > >
> > >
> > > Yes, this is the purpose of groups.  However, when controlling 
> > > access to files owned by individuals - think of VOSpace - groups 
> > > don't avoid the need to authorize at the individual level.
> >
> > I can see that we will want to allow fine-grained 
> privileges too. In 
> > the case of store space, this is automatic, and individuals 
> look after 
> > their own files (and who they publish too).  I was more 
> concerned that 
> > Wil seems to be saying that we would be asking data providers to 
> > assign privileges on an individual basis for restricted data?
> 
> I don't think that IVOA is requiring this.
> 
> The current position seems to be that you need to prove an 
> individual identity in order to prove a group membership in 
> order to prove authorization.
> 
> Services will also need individual identities for logging.
> 
> In Wil's MyDB system, data are owned by individuals, so 
> authorization has to be at the individual level.  This is 
> because it's a read-write system.  In a read-only archive, 
> authorization at group level is still OK in most cases.  In 
> the cases where it isn't, the operator of the archive will 
> want the finer-grained authorization to achive their own ends.
> 
> Guy Rixon 				        gtr at ast.cam.ac.uk
> Institute of Astronomy   	                Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA		Fax: 
> +44-1223-337523
>