ESciDoc Authorization Requirements
Revision as of 13:27, 3 September 2008 by Natasab (talk | contribs) (→For what are authorization rules defined)
Authorization requirements for resources managed by the eSciDoc[edit]
Glossary
To be able to understand the basic set-up of the current authorization mechanism we need to understand the following terms:
* Role represents a set of actions that can be performed on some resource in accordance with defined conditions e. g. update an item in a context if the item status is "pending". * Grant object represents the role with which user is granted for specific resource. It is realized by creating a "grant object" and associating it with the user account e.g. a reference to a Context in case of a Administrator grant or a Metadata-Editor grant. Additionally, a grant stores information for the traceability of granting and revoking roles. * Policy is implemented XACML Policy. Each Role has one or more policies depending on the resource and actions. A policy is defined for a role, resource and set of resource attributes. A policy exclusively belongs to a single role. * Resource - a resource on which an action is executed e.g. Item, Container, Item.component etc. * Action - an action that is triggered e.g. create-item, update-item etc. * Subject - user that is performing a certain action * Attribute - a property or attribute of the resource that has a certain value. This value is included as a "condition" check when evaluating the right of the subject (i.e. user) to perform an action on a certain resource e.g. status of the item, context of the item etc. These attributes are defined in the XACML policy definition. * Policy Decision Point (PDP) - a software component that evaluates the policies and decides if a request can be authorized * Policy Enforcement Point (PEP) - a software component that secures the access, builds authorization decision requests that are sent to the PDP, and enforces the authorization decision
Resources to be authorized[edit]
- Content Resources
- Item
- Container
- Content sub-resources
- Component
- Metadata record
- Stream (new)?
How are authorization rules defined[edit]
- As XACML policies
Where are authorization policies defined[edit]
- Context
- Container
- Component
For what are authorization rules defined[edit]
- At present: core-service handler methods
- Wished: for user-defined actions (e.g. accept, send-back for revision etc.)