XACML

Metadata Access Scenario

• Define policies:
  • supervisors can access all workflows in the organization
  • students can access only their own workflows
  • Example:
    • User urn:lsid:www.mygrid.org.uk:person:super123 is a supervisor
    • User urn:lsid:www.mygrid.org.uk:person:stu456 is a student
    • Both belong to urn:lsid:www.mygrid.org.uk:organization:789
  • That a person is a student or a supervisor could itself be metadata!
  • Use SamplePolicyBuilder in samples as a template or Java XACML Editor
    • see my RequestAndPolicyExamples
  • myGrid XACML policy

• Implement a Policy Decision Point (PDP) and a Policy Enforcement Point (PEP)
  • see: SimplePDP in samples
• Experimenter does a single sign on through Taverna using Shibboleth's Open SAML or similar
  • eg urn:lsid:www.mygrid.org.uk:person:stu456 and urn:lsid:www.mygrid.org.uk:organization:789 are then retrieved
• Code in the Provenance Browser Plugin uses PDP and PEP

Action Plan

• First focus on XACML and later on SAML
• Compare with Michael Parkin's OntoGrid Authentication Service
  • Globus Toolkit
    • Can be deployed under Tomcat as a separate module
  • VO ontology under development (PinarAlper^?, Iannis, Oscar)

Another scenario

• Experimenter decides to make part of a provenance record available.

The solution is to use TavernaWorkbench to mark up the sections of the runs one does not want to publish. This could be done by reusing the code for declaring processors boring.

References

• Introduction
• Another introduction
• Specification version 1.0
• Tutorial
• XACML paper
• API
• Architectural example
• Overview and Links
• XACML profile for Web-services

People

• Michael Parkin (ESNW)
• Ning Zhang and her students
• PsyGrid people (Globus, SAML)
• Andrew Mc Nab (Physics)