Changes between Initial Version and Version 1 of AbacPolicy

Show
Ignore:
Timestamp:
05/09/12 00:01:10 (7 years ago)
Author:
prateek (IP: 66.57.66.224)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AbacPolicy

    v1 v1  
     1We have the following actors as part of our implementation. 
     2 * GOC: GENI's trust root 
     3 * IdP: Identity Provider 
     4 * PA: Project Authority 
     5 * SA: Slice Authority 
     6 * Orca: Orca Aggregate Manager 
     7 * DrD: PI named Dr. D 
     8 * TTGuy: Experimenter named Test Tube Guy 
     9 
     10The individual actor policies are as follows. 
     11 
     12===  Project Authority === 
     13The PA trusts a GOC endorsed IdP to issue user-role credentials.[[BR]] 
     14PA.GeniPI <- GOC.GeniIdP.GeniPI[[BR]] 
     15[[BR]] 
     16The PA requires a user to be a GENI PI, to be able to create a project.[[BR]] 
     17PA.GeniPI <?- Requester 
     18 
     19The PA's access control policy for a project allows the project's manager(s) to operate on the project. It also allows the project manager(s) to further delegate the privilege.[[BR]] 
     20PA.Operate_ProjectId <- PA.PM_ProjectId[[BR]] 
     21PA.Operate_ProjectId <- PA.PM_ProjectId.Operate_ProjectId[[BR]] 
     22[[BR]] 
     23The PA issues a project manager credential, for the newly created project, to the requester.[[BR]] 
     24PA.PM_ProjectId <- Requester[[BR]] 
     25 
     26=== Slice Authority === 
     27The SA trusts the GOC to issue clearinghouse coordinator credentials.[[BR]] 
     28SA.GeniPA <- GOC.GeniPA[[BR]] 
     29[[BR]] 
     30The SA trusts a GOC endorsed IdP to issuer user-role credentials.[[BR]] 
     31SA.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter[[BR]] 
     32[[BR]] 
     33The SA requires a user to be a trusted GENI experimenter in order to create a slice. A slice can only be created under a project that's root is a trusted project authority. Also, the requester must have the privilege, asserted by the project’s root, to operate on the project.[[BR]] 
     34SA.GeniExperimenter <?- Requester[[BR]] 
     35SA.GeniPA <?- ProjectRoot[[BR]] 
     36ProjectRoot.Operate_ProjectId <?- Requester[[BR]] 
     37[[BR]] 
     38The SA's access control policy for a slice allows a project manager of the associated project to operate on the slice. It also allows the project manager(s) to further delegate the privilege. The SA delegates the policy to determine the project manager(s), to the project root.[[BR]] 
     39SA.Operate_SliceId <- ProjectRoot.PM_ProjectId[[BR]] 
     40SA.Operate_SliceId <- ProjectRoot.PM_ProjectId.Operate_SliceId[[BR]] 
     41[[BR]] 
     42The SA also issues a non-delegatable credential, for operating on the slice, to the requester.[[BR]] 
     43SA.Operate_SliceId <- Requester 
     44 
     45=== Aggregate Manager === 
     46The Orca AM trusts the GOC to issue clearinghouse coordinator credentials.[[BR]] 
     47OrcaAM.GeniSA $\leftarrow$ GOC.GeniSA[[BR]] 
     48[[BR]] 
     49The Orca AM trusts a GOC endorsed IdP to issue user-role credentials.[[BR]] 
     50OrcaAM.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter[[BR]] 
     51 
     52The Orca AM requires a user to be a trusted GENI experimenter in order to operate on a slice. Also, the slice's root has to be a trusted slice authority and the requester must have the privilege to operate on the slice.[[BR]] 
     53OrcaAM.GeniExperimenter <?- Requester[[BR]] 
     54OrcaAM.GeniSA <?- SliceRoot[[BR]] 
     55SliceRoot.Operate_SliceId <?- Requester[[BR]] 
     56