Changes between Version 3 and Version 4 of AbacPolicy

Show
Ignore:
Timestamp:
05/17/12 23:42:04 (7 years ago)
Author:
prateek (IP: 174.109.212.129)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AbacPolicy

    v3 v4  
    1212 * Orca AM: Orca Aggregate Manager 
    1313 
     14=== GOC === 
     15GOC endorses all the coordinators according to their specific functionalities. All the other actors trust the GOC-endorsed coordinators.  
     16 
     17{{{ 
     18GOC.GeniIdP <- IdP 
     19GOC.GeniPA <- PA 
     20GOC.GeniSA <- SA 
     21}}} 
     22 
    1423The individual actor policies are as follows. 
    1524 
     25=== Identity Provider === 
     26An identity provider is a trust anchor, a source of user attributes that is empowered to assert attributes without any proof. An IdP may endorse users based on information that it gets from other sources such as an InCommon registered identity provider. 
     27 
     28{{{ 
     29IdP.GeniUser <- User1 
     30IdP.GeniExperimenter <-User2 
     31}}} 
     32 
    1633===  Project Authority === 
     34A project authority is an entity that controls creation of projects and de nes the policies to access and control the created projects. A decision to approve a project is based at least in part on validated attributes of the requester. 
     35 
    1736The PA trusts a GOC endorsed IdP to issue user-role credentials. 
    1837{{{ 
     
    2342PA.GeniPI <?- Requester 
    2443}}} 
     44 
    2545The PA's access control policy for a project allows the project's manager(s) to operate on the project. It also allows the project manager(s) to further delegate the privilege. 
    2646{{{ 
     
    2848PA.Operate_ProjectId <- PA.PM_ProjectId.Operate_ProjectId 
    2949}}} 
     50 
    3051The PA issues a project manager credential, for the newly created project, to the requester. 
    3152{{{ 
     
    3455 
    3556=== Slice Authority === 
     57A slice authority is an entity that controls creation of slices and de nes the policies to access and control the created slices. A decision to approve a slice is based at least in part on validated attributes of the requester and the users association with the corresponding project. 
     58 
    3659The SA trusts the GOC to issue clearinghouse coordinator credentials. 
    3760{{{ 
    3861SA.GeniPA <- GOC.GeniPA 
    3962}}} 
     63 
    4064The SA trusts a GOC endorsed IdP to issuer user-role credentials. 
    4165{{{ 
    4266SA.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter 
    4367}}} 
     68 
    4469The SA requires a user to be a trusted GENI experimenter in order to create a slice. A slice can only be created under a project that's root is a trusted project authority. Also, the requester must have the privilege, asserted by the project’s root, to operate on the project. 
    4570{{{ 
     
    4873ProjectRoot.Operate_ProjectId <?- Requester 
    4974}}} 
     75 
    5076The SA's access control policy for a slice allows a project manager of the associated project to operate on the slice. It also allows the project manager(s) to further delegate the privilege. The SA delegates the policy to determine the project manager(s), to the project root. 
    5177{{{ 
     
    5379SA.Operate_SliceId <- ProjectRoot.PM_ProjectId.Operate_SliceId 
    5480}}} 
     81 
    5582The SA also issues a non-delegatable credential, for operating on the slice, to the requester. 
    5683{{{ 
     
    6390OrcaAM.GeniSA <- GOC.GeniSA 
    6491}}} 
     92 
    6593The Orca AM trusts a GOC endorsed IdP to issue user-role credentials. 
    6694{{{ 
    6795OrcaAM.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter 
    6896}}} 
     97 
    6998The Orca AM requires a user to be a trusted GENI experimenter in order to operate on a slice. Also, the slice's root has to be a trusted slice authority and the requester must have the privilege to operate on the slice. 
    7099{{{