| 50 | |
| 51 | Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI". Notice that only the GENI principal can create such a credential: it controls the GENI.CTFaccess attribute, and any assignment of that attribute must be done by the controlling prinicpal. |
| 52 | |
| 53 | Any attribute reachable by following edges from principal to attribute is possessed by that principal. Now the '''BBNAdmin''' principal has both the '''GENI.CTFadmin''' and '''GENI.CTFaccess''' attributes. |
| 54 | |
| 55 | == Delegating Administration to ACM == |
| 56 | |
| 57 | At this point the GENI principal has placed a principal in a position to configure and access the contest slice in case of trouble, but the rest of the access control is to be the business of the ACM principal. Delegating this authority is again expressed by relating two attributes, one controlled by the GENI principal and one by the ACM principal. |
| 58 | |
| 59 | In the explorer the GENI user creates an attribute named ACM.CTFofficial and draws an arrow from it to GENI.CFTaccess. Note that the GENI user cannot draw lines into the ACM.CTFofficial attribute, because that attribute is controlled by ACM, but it can delegate control of its own '''GENI.CFTadmin''' attribute. |
| 60 | |
| 61 | [[Image(example1.png)]] |
| 62 | |
| 63 | Like all drawn arrows, this represents a credential; that credential says "any principal having the ACM.CTFofficial attribute has the GENI.CTFadmin attribute, signed the GENI principal." Because the GENI principal cannot control how the '''ACM.CTFofficial''' is administered by the ACM principal (or even that such an attribute exists) this is a delegation of power. |
| 64 | |
| 65 | |