70 likes | 185 Views
User Attributes; who, where, how many?. Daan Broeder TLA – MPI for Psycholinguistics. User attributes. Of course there the model of separating authentication from authorization; of identity and attributes
E N D
User Attributes; who, where, how many? Daan Broeder TLA – MPI for Psycholinguistics
User attributes • Of course there the model of separating authentication from authorization; of identity and attributes • This does not mean that there should be always different organizations taking care of authentication and user attributes • In CLARIN AAI a user organization provides: • Authentication • Set of ‘real’ user attributes: mail, affiliation, … • attributes best left to the user organization • Traditional attributes as from eduPerson, schac
Attributes for Communities • Specific attributes for research communities: • Signed the CoC • ‘ trustworthy’ researcher • Research profile information • IdP providers within a community are not consistent and need compensation by a ‘community’ attribute store • Different interpretation of federation requirements • (Different interpretation of) legalities • Sheer confusion • Unlikely these attributes find a place in the users home organization’s IdP • So external attribute provider under control of a community organization? • How does this scale?
Attributes for research collaborations • When researchers collaborate we facilitate this by specific roles. Suppose we have a collaboration ‘A’ • GroupA_rw_user -> user_d, user_e, user_f • GroupA_ro_user -> user_g, user_h • GroupA_manager-> user_f • Roles give access to data and services • Collaborations can be interdisciplinary if these user attributes are made available to the different communities • But where to store them • National science organizations? • International embedding?
Attributes for authorization • We can grant access based on ‘standard’ attributes as ‘affiliation’ or ‘o’ or • … grant access on the basis of eduPersonEntitlement • Does not scale in a federation • MPG-AAI: security/privacy issues • would need special attributes as: • rw_access_to_datasetA • unlimited_access_serviceC • push for special (central) auth. attribute providers that are available from different SPs to cater for replicated data and services • Concern about governance of these attribute providers • Community data centers like to be in charge
attribute sources research community community attributes 10^6 home org. attributes attributes 10^4 attributes 10^2
e-infracontext DASISH common SSH metadata catalog CLARIN LT web service infrastructure replication & preservation community specific SSH communities wide - DASISH PID services – EPIC Data Preservation – EUDAT NETWORK Services - GEANT CLARIN DARIAH CESSDA Life Watch Federated Identity Management