Re: [xacml] Modeling Delegation of Rights in a simplified XACML withHaskell

[Frank Siebenlist <franks@mcs.anl.gov>]

Polar Humenn wrote:

> On Wed, 3 Dec 2003, Frank Siebenlist wrote:
> 
> 
>>Use case 1:
>>
>>A user has a job running on his behalf on a server, and that job has to start an
>>separate ftp service that needs access to the user's files. The user has to give
>>the administrative rights to his job that will allow that job to assign the
>>access rights to the ftp service to access the file on the user's behalf.
>>Currently, we implement this with our proxy-certs in what essentially
>>constitutes to pure impersonation.
> 
> 
> User has a local FTP SERVICE to house his files. Access to his files is
> controled by access policy. According to that policy, the request
> 
> User says "Access:File"
> 
>          will be granted as the user has access to his files.
> 
> No, according to your use case, we have Job and FTPClient. So, we have
> two other desireable requests:
> 
> Job says "Access:File"
> 
> and
> 
> FTPClient says "Access:File"
> 
> Thses requests would normally not be granted by the current access policy
> on the FTP SERVER.  However, Due to the users "job" set up. Both these
> requests should be granted.
> 
> Is that a correct interpretation of your use case 1?

Yes.

Or in a more colloquial manner: the user has to delegate his file access rights 
to the Job, which in turn has to delegate these right to the FtpClient, such 
that the latter can access the files at the FtpServer on the user's behalf...

-Frank.


-- 
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory