Changes between Version 35 and Version 36 of TIEDABACDemo


Ignore:
Timestamp:
07/14/09 18:27:54 (10 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v35 v36  
    8181Now we have two prinicpals granting credentials that grant attributes to principals across domains.  Following the inter-principal connections can be confusing, so the explorer allows users to search the space from a global view.  This shows what authorizations are possible, given the attributes that the explorer knows about.  To activate this feature, the user types an attribute to track in the query window, and the explorer tracks relevant changes.  A sample window showing the results of a query for '''GENI.CTFadmin''' appears below.
    8282
    83 [[Image(example3.png)]]
     83[[Image(explorer6.png)]]
    8484
    8585The query window shows all nodes reachable from the query attibute in a graph with all the arrows' directions reversed, and keeps the display up to date so the user can see the results of changes to the graph.
     
    9797In ABAC, this is represented as a linked attribute.  In the explorer, one can create such a linked attribute in a way similar to creating a standard attribute.  Here the GENI principal creates such a rule that allows ACM representatives to designate contestants, all of whom will be granted the CTFaccess attribute.
    9898
    99 [[Image(example4.png)]]
     99[[Image(explorer7.png)]]
    100100
    101101The wording for the credential is a little comples, but it says "Any principal that has a ''P''.'''CTFcontestant''' attribute where ''P'' that has the '''ACM.gamerep''' attribute has the '''GENI.CTFaccess''' attribute, signed GENI".  More simply, the ACM principal can designate representatives by giving them the '''ACM.CTFrep''' attribute; when those representatives give another principal their '''.CTFcontestant''' attribute, the principal with that attribute is given the '''GENI.CFTaccess''' attribute.  ACM representatives can grant access to the slice.
     
    103103An advantage of this is that it creates a new administrative group - ACM's game representatives - that can be useful in other contexts. For example, this same group of representatives can designate contestants for other competitions or other attributes relevant to the capture the flag contest without further changes by the ACM.  Delegating through individual ACM attributes would require continuing work by the ACM.
    104104
    105 The ACM principal designates representatives by creating the '''ACM.gamerep''' attribute and connecting principals to it.  Below is an example designating the UCLA, USC, and MIT principals as representatives.
    106 
    107 [[Image(example5.png)]]
     105The ACM principal designates representatives by creating the '''ACM.gamerep''' attribute and connecting principals to it.  The screenshow above includes that a change in the ACM worldview.
    108106
    109107== Independent Contestent Administration ==