19 | | Until an authorization decision needs to be made, all of these attributes (signed assertions) can be kept locally and brogght together to make the decision. Principals can also pass them around so they are available when needed. For example, when the NSF designates a PI, it may send that PI the signed attribute so that the PI can use it in authorization requests. |
| 19 | In this case, the delegated attribute (GPO GENI user) is delegated to principals who possess a one (or more) of a set of attributes (''P'' GENI user for many ''P''). That set is defined in terms of an authorizer attribute (NSF PI). Any principal with the authorizer attribute can assign the delegated attribute by assigning their local version of the delegating attribute (''P'' GENI user where ''P'' has the NSF PI attribute). This links the authorizer attribute to the delegating attributes, and is often called a linked attribute. |
| 20 | |
| 21 | It also points out that each of these delegations maps into an ABAC credential: an a signed assertion that can be used in a proof. Because each of these is a signed assertion of a fact or delegation of authority, connecting them in followinf the rules above corresponds to collecting those signed credentials, which establishes a trust relationship. ABAC credentials allow principals to negotiate directly about what they consider adequate proof. Below we show a simple visualization that represents constructing that proof as finding a path between two nodes in a graph; the actual negotiation protocol can be similarly simple. |
| 22 | |
| 23 | Until an authorization decision needs to be made, all of these credentials can be kept locally and brought together to make the decision. Principals can also pass them around so they are available when needed. For example, when the NSF designates a PI, it may send that PI the signed attribute so that the PI can use it in authorization requests. |
39 | | The image above shows how to walk the chain of attribute assignments and delegations to prove a principal has a given attribute. In this case, it shows that Ted has the GOP.demo attribute. It also points out that each arrow maps into an ABAC credential: an element that can be used in a proof. Because each of these is a signed assertion of a fact or delegation of authority, walking the arrows to an attribute corresponds to collecting those signed credentials, which establishes a trust relationship. ABAC credentials allow principals to negotiate directly about what they consider adequate proof. |
| 43 | The image above shows how to walk the chain of attribute assignments and delegations to prove a principal has a given attribute. In this case, it shows that Ted has the GOP.demo attribute. Proving a principal has an attribute is equivalent to finding a path from principal to attribute in the graph induced above. We use this representation in our configuration and visualization tool to help administrators. |
| 44 | |
| 45 | [[Image(Linked.png)]] |
| 46 | |
| 47 | A linked role is specified by a different attribute that links the authorizing attribute (in parens) to the delegating attribute by a dot, and the arrow completes the delegation. |
| 48 | |
| 49 | [[Image(LinkedCreds.png)]] |