140 likes | 228 Views
Emerging from the mists: Requirements for supporting VOs. http://arch.doit.wisc.edu/keith/camp/ voReqs-050701-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE Advanced CAMP, Denver, July 1, 2005.
E N D
Emerging from the mists: Requirements for supporting VOs http://arch.doit.wisc.edu/keith/camp/ voReqs-050701-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE Advanced CAMP, Denver, July 1, 2005
Federated Identity & Access Management(FIAM) • FIAM: Self-predicting term in Latin: “I will be made” • root meaning: to make: • passive voice, • indicative mood, • future tense God bless the VO known as WIKIpedia 2
VO challenges I heard at CAMP • VO support utilities must be as easy to use as • managing a local collaboration team • sharing applications on a single host • …or else? • Or else the latter is exactly how it will be done 3
VO challenges I heard at CAMP • For both ScienceGateway & Vivarium: • IdPs and SPs in a given VO will need mechanisms by which they • come to agreements on • manage • and use information. • What information? 4
VO challenges I heard at CAMP • Well, MINIMALLY, information re: • what user affiliations/groups there are (IdP) • what resource/host-level privileges members of those affiliations should have (SP) • what (SAML) attribute & values will express those affiliations/groups (IdP/SP agreement) 5
Managing Roles & Privileges:The Internet2 way Role-Based Access Control (RBAC) model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet 6
MAXIMAL case:Model from Signet Business View Course Support Add/Drop students Student Admin Which term Schedule Classes Which campus Process Applicants Financial Aid For school… Award Scholarships From Fund… Manage Accounts For fund… Patient Records Protocol A Clinical Trial Read/Write Materials Control Qty/day Manage Grant Administration $ constraints Lab Access Hours Categories Subsystems Functions Limits organizing actions 7
VO challenges I heard at CAMP • MAXIMALLY, information re: • what subsystems there are • what functions in what organizing categories there are • what affiliations/groups have those categories/functions on those subsystems • what resource/host-level privileges are required to perform those functions 8
VO challenges I heard at CAMP • And information re: • what attributes will express those groups and privileges • which party will maintain the registries and delivery services for which bits of this information • Signet suggested these categories of information 9
Bold Conclusion (for debate) • IdP site should manage users, groups/affiliations • SP site should manage system-level permissions and what groups/affiliations get which ones • That’s it! (for MINIMAL entry-level case) 10
Bold Conclusion MAXIMAL case (for debate) • IdP site should manage users, groups/affiliations • SP site should manage system-level permissions • Both must agree on subsystems and categories of functions down to syntax and semantics of attributes/expressions • IdP should maintain map from user/group to function • SP should maintain map from function to permissions 11
VO challenges I heard at CAMP • MUST have: Delegable IAM admin services • with absolutely no dependencies on the specific institutional home base of • the users • the administrator(s) • the service(s) 12
VO challenges I heard at CAMP • Users make requests that service providers approve or deny. • The decision will sometimes depend on amalgamated bits of identity info…. • …for which a variety of IdPs are the authoritative source. • Whose job is it to overcome identity fragmentation at the federation level? 13
Q & A 14