User Requirements for Authorisation Infrastructures

Please enter your Authz user requirements here. Dont forget to leave your contact details so that we can follow up any questions or clarifications that we may have

Requirements for OGSA-RSS and OGSA-DMI

These two groups both need a standard mechanism for handling delegation since they both need to have some mechanism to access services on behalf of a user or users. In addition, any implementation of a Resource Selection Service requires a mechanism to discover whether it is reasonable to expect that a particular user-client might access a particular resource-service without having to first contact that resource-service (having to contact each potential service to discover whether the user can talk to it will definitely not scale); it is expected that there will be a separate round of negotiations with the resources to secure actual access, when final authorization is established, but being able to pre-filter all the resources where it is practical to determine ahead of time that negotiations will definitely fail is a clear benefit in efficiency terms. It would not surprise me at all if workflow systems had a similar requirement for delegation.

In terms of attributes, I worry about having attribute spaces where everyone defines their own set of attributes as this is extremely unlikely to foster interoperability. It would be better if there was some way of having at least some attributes that everyone can understand, even if these have to be supplemented by non-standard bits. This would also seem to indicate that it might be easier to think (at least conceptually) in terms of RDF for these attributes, since it might be possible to standardize the relations without having to standardize the subjects of the relations, so that there can be a standard concept of "is a member of an organization" instead of having loads of specialized "is a member of org X" assertions.

Donal Fellows, mailto:donal.k.fellows@manchester.ac.uk