Changes between Version 4 and Version 5 of TIEDABACModel


Ignore:
Timestamp:
10/10/11 15:33:47 (13 years ago)
Author:
Adam Slagell
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • TIEDABACModel

    v4 v5  
    1515In ABAC, principals can be an individual (researcher, user) or larger authority (GPO, university).  Prinicpals can use a range of systems to authenticate themselves.  A principal can be the subject of authorization decisions and have attributes asserted about it by other principals.
    1616
    17 An attribute is a property of a principal created by the assertion of another princppal.  The University of Southern California (a principal) may assert that Ted Faber (a principal) is a staff member (attribute).  The attributes are scoped by prinicpal, that is if USC asserts Ted Faber is staff, that is one attribute, if ISI also asserts that Ted Faber is staff that is a second attribute.  Assertions are represented as a digitally signed statement, called a credential.
     17An attribute is a property of a principal created by the assertion of another principal.  The University of Southern California (a principal) may assert that Ted Faber (a principal) is a staff member (attribute).  The attributes are scoped by prinicpal, that is if USC asserts Ted Faber is staff, that is one attribute, if ISI also asserts that Ted Faber is staff that is a second attribute.  Assertions are represented as a digitally signed statement, called a credential.
    1818
    1919A given prinicpal may also assert rules about how attributes relate.  The GPO may assert that all USC GENI staff are also GPO prototypers.  That delegates authority to USC to add to GPO prototypers.  In this case the delegated attribute (GPO prototypers) is given to prinicpals who also possess the delegating attribute (USC GENI).
     
    4141[[Image(Simple.png)]]
    4242
    43 The image above shows a simple delegation.  The GPO prinicpal has delegated the power to grant principals the GPO.demo attribute to USC by asserting that any principal with the ISI.GENI attribute also has the GPO.demo attribute. We now show how to demonstrate that a given principal has a delegated attribute.
     43The image above shows a simple delegation.  The GPO prinicpal has delegated the power to grant principals the GPO.demo attribute to ISI by asserting that any principal with the ISI.GENI attribute also has the GPO.demo attribute. We now show how to demonstrate that a given principal has a delegated attribute.
    4444
    4545[[Image(Creds.png)]]