myGrid Security

1
myGrid Security

• Daniele Turi
• University of Manchester
• OMII f2f Meeting, London, 19-20/4/06

2
(No Transcript)
3

• User sends LSID ref and credentials to the Access
  Point
• Access Point returns data and metadata or denies
  access as follows
• credentials are passed to a User Directory
• User Directory passes the corresponding user to
  the Authorization Authority
• Authorization Authority returns the user
  attributes in the form of a (possibly signed)
  SAML assertion
• this assertion, together with the lsid and its
  corresponding metadata, is passed to the Policy
  Enforcement Point (PEP)
• PEP uses these three inputs to form an XACML
  request that is passed to a Policy Decision Point
  (PDP) that is preloaded with an XACML Policy Set.
  
• PDP evaluates the request against its policy set
  and returns an XACML response to PEP
• PEP decodes the response and either allows
  data/metadata to be returned to the user or
  denies access.

4
myGrid XACML Policy

• Scenario
• supervisors can access all workflows in the
  organization
• students can access only their own workflows
• blacklisted users cannot access anything
• See policySet.xml on myGrid wiki