shibboleth-dev - ARP evaluation
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: ARP evaluation
- Date: Mon, 18 Mar 2002 16:34:47 -0500
- Importance: Normal
- Organization: The Ohio State University
FWIW, does this make sense based on the CMU model being proposed?
Types of ARP's
a) AA Default
any SHAR, any target, any user
b) SHAR Default
SHAR "foo.edu", any target, any user
c) Resource Default
SHAR "foo.edu", target "http://foo.edu/admin/*";, any
user
d) Admin-set
SHAR "foo.edu", target "http://foo.edu/admin/*";, user
"smith"
e) User-set
SHAR "foo.edu", target "http://foo.edu/admin/*";, user
"smith"
The first four are set by admins, the last by a user. The evaluator
looks for any of the first four kinds of records, and picks the one
farthest to the bottom (the most specific kind). Then it looks for a
user-set policy.
The rules proposed then determine what the user can do (ie. only add to
the list of attribute/values that get released). I'm not suggesting to
complicate the decision making that goes into choosing among the first
four types.
To "add" a resource, an AA admin could do:
1) Nothing, in which case the default for either the AA or the SHAR that
ends up asking about the resource takes effect.
2) Add a policy for the resource that applies to everybody (type c).
3) Add a policy for the resource and one or more users (type d).
A user could always manually add a policy for the resource without the
admin doing anything, as long as the SHAR name and hostname match, which
is likely. Once the admin sets a policy as above, this might
short-circuit what the user did, but that's because these rules specify
admin rules take precedence.
I can see many ways to store that information off in a database and make
it efficient to query and update, and it seems to work fine with the
model proposed, so far anyway.
-- Scott
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- ARP evaluation, Scott Cantor, 03/18/2002
- ARP impl. proposal, Parviz Dousti, 03/19/2002
- RE: ARP impl. proposal, Scott Cantor, 03/22/2002
- ARP impl. proposal, Parviz Dousti, 03/19/2002
Archive powered by MHonArc 2.6.16.