Changes between Version 21 and Version 22 of TIEDABACDemo


Ignore:
Timestamp:
07/12/09 21:56:18 (15 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v21 v22  
    3737== Assigning Attributes to Principals Directly (local GENI administrator) ==
    3838
    39 In order to assign that attribute to a principal using the explorer, one connects the principal representation (an ellipse with that prinicpal's name in it) to the attribute in question.  The following shows the '''BBNAdmin''' principal being assigned the '''GENI.CTFAdmin''' attribute.
     39In order to assign that attribute to a principal using the explorer, one connects the principal representation (an ellipse with that prinicpal's name in it) to the attribute in question.  The following shows the '''BBNAdmin''' principal being assigned the '''GENI.CTFadmin''' attribute.
    4040
    4141[[Image(example0.png)]]
     
    4848
    4949[[Image(example13.png)]]
     50
     51Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI".  Notice that only the GENI principal can create such a credential: it controls the GENI.CTFaccess attribute, and any assignment of that attribute must be done by the controlling prinicpal. 
     52
     53Any attribute reachable by following edges from principal to attribute is possessed by that principal.  Now the '''BBNAdmin''' principal has both the '''GENI.CTFadmin''' and '''GENI.CTFaccess''' attributes.
     54
     55== Delegating Administration to ACM ==
     56
     57At this point the GENI principal has placed a principal in a position to configure and access the contest slice in case of trouble, but the rest of the access control is to be the business of the ACM principal.  Delegating this authority is again expressed by relating two attributes, one controlled by the GENI principal and one by the ACM principal.
     58
     59In the explorer the GENI user creates an attribute named ACM.CTFofficial and draws an arrow from it to GENI.CFTaccess.  Note that the GENI user cannot draw lines into the ACM.CTFofficial attribute, because that attribute is controlled by ACM, but it can delegate control of its own '''GENI.CFTadmin''' attribute.
     60
     61[[Image(example1.png)]]
     62
     63Like all drawn arrows, this represents a credential; that credential says "any principal having the ACM.CTFofficial attribute has the GENI.CTFadmin attribute, signed the GENI principal."  Because the GENI principal cannot control how the '''ACM.CTFofficial''' is administered by the ACM principal (or even that such an attribute exists) this is a delegation of power.
     64
     65
    5066
    5167=== ABAC Encoding (simple delegation) ===