Access control use-cases

Roy Williams roy at cacr.caltech.edu
Tue Jul 11 12:57:11 PDT 2006 

Norman

A group of us in NVO have been pushing the idea of "graduated  
security". When a protected service is requested, the more strongly  
authenticated person gets more resource than the weakly  
authenticated. Weakest authentication is of course nothing  
(anonymous), and you may get a crumb. If you have filled in a web  
form and proved that you have a valid email, you are "weakly  
authenticated", and you get more.

The Nesssi system is predicated on graduated security: the  
certificate and the request are considered *together* to decide  
whether to devote resources to the request. This is a contrast to  
traditional systems, where you must prove who you are first in a  
rigorous way before getting anything at all.

We are adding the idea of a "Dataset Visa", meaning that your  
certificate allows access to private data. Nesssi imaging services  
are available to anyone for public surveys, but reject those without  
the proper visa if you try to use the service on private data.

Roy

References
http://www.us-vo.org/nesssi/
http://www.us-vo.org/nesssi/soc.html
http://www.us-vo.org/pubs/files/hotgrid.pdf


On Jul 7, 2006, at 10:46 AM, Norman Gray wrote:

>
> Greetings,
>
> I'm going to be doing some work on access control and  
> authorisation, initially within the AstroGrid context, but it would  
> I hope be applicable more broadly.  I'm gathering use-cases, and  
> have a few collected at <http://wiki.eurovotech.org/twiki/bin/view/ 
> VOTech/AccessControlUseCases>.  Some of these were extracted from  
> this list's archives.  If I've missed your favourite one, please do  
> shout.  Or if I've missed your least-favourite, most headache- 
> inducing, one.
>
> I was talking recently to some folk who are working on policy  
> management (partly, though not exclusively, in the context of the  
> semantic web).  They seemed rather dismayed at how simple most use- 
> cases were, since they were aiming at a pretty powerful system.
>
> So let rip.  The ones I've got so far are probably fairly easily  
> manageable (in terms of the logic and delegation involved, rather  
> than necessarily their implementation in a live system).
>
> Thanks!
>
> Norman
>
>
> -- 
> ---------------------------------------------------------------------- 
> ------
> Norman Gray  /  http://nxg.me.uk
> eurovotech.org  /  University of Leicester, UK
>
>
>

California Institute of Technology
626 395 3670

More information about the grid mailing list