Changes between Version 27 and Version 28 of TIEDABACDemo


Ignore:
Timestamp:
07/13/09 18:08:24 (10 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v27 v28  
    139139[[Image(example10.png)]]
    140140
    141 
    142 === ABAC Encoding (simple delegation) ===
    143 
    144 For the purposes of the example, we assume that there is a GENI principal that has allocated an empty slice for the contest.  That slice will be expanded and configured by principals with the GENI.adminCTF attribute and accessible by players with the GENI.accessCTF attribute.  We now lay out the attribute policies for allocating these two attributes.
    145 
    146 Because the set of officials is small, the ACM chooses to administer them directly.  To support this the GENI principal delegates the adminCTF attribute to the ACM principal:
    147 
    148 [[Image(example1.png)]]
    149 
    150 And the ACM principal authorizes principals by making them officials.
    151 
    152 [[Image(example2.png)]]
    153 
    154 The ACM principal can add or delete officials independently, and those officials have admin rights to the slice automatically.
    155 
    156 Of course, both the ACM and GENI will be assigning other attributes unrelated to this project, so their attribute space may be large enough that we provide a tool to maintain these spaces and their ramifications.  Most of the images in this section are screenshots from that application.  The image below is the result of a query for all users with the GENI.CTFadmin attributes from a set of attributes that includes those above.  The two above are only the local attribute spaces of the two principals, below is a summary of both.  (Principals who have the attribute are flagged by the bold red border, though all principals in this case have the rights).
    157 
    158 [[Image(example3.png)]]
    159 
    160 === ABAC Encoding (linked roles) ===
    161 
    162 Because there are many more contestants than officials and the qualifying requirements are locally decided, the access rights to the contest slice are administered more loosely.  This time GENI delegates access to the principals that ACM's CTFreps designate as contestants.
    163 
    164 [[Image(example4.png)]]
    165 
    166 ACM now selects principals at each participating university that can authorize contestants (CTFreps).
    167 
    168 [[Image(example5.png)]]
    169 
    170 The USC principal selects students individually:
    171 
    172 [[Image(example6.png)]]
    173 
    174 The MIT principal opens the contest to all MIT students:
    175 
    176 [[Image(example7.png)]]
    177 
    178 And the UCLA principal further delegates the authority to its local ACM officers:
    179 
    180 [[Image(example8.png)]]
    181 
    182 Those officers then select individual students:
    183 
    184 [[Image(example9.png)]]
    185 
    186 These local decisions make for a rich global attribute derivation graph.  As before determining which principals can access the graph is done by a depth first search through the graph.
    187 
    188 [[Image(example10.png)]]
    189 
    190141=== Negotiating Access ===
    191142