Title (goal) | Consistent authentication and authorization across federated repositories |
---|---|
Primary Actor | System Administrator |
Scope | Organization black-box |
Level | User-goal |
Story | A System Administrator has to maintain a federation of repositories: one for streaming media, another repository for textual objects, and one for large-scale numerical data sets. Each repository runs on dedicated hardware systems with differing architectures. All repositories are utilized by the same group of researchers. Data objects of researchers are often stored in more than one of those repositories. The System Administrator needs to ensure consistent users, roles, and access rights across all repositories. Thus, she requires a single point of administration for user and access management for the distributed repository infrastructure. Any change at this single point of administration should (immediately/near real-time) be reflected in all repositories under her control. |
3 Comments
Scott Prater
A paper that might be of interest:
First Experiences Using XACML for Access Control in Distributed Systems
David Wilcox
As of 4.0-Alpha-4, authorization requests may contain additional information other than the username; for example, the request could include the security group the user belongs to. These groups could be managed on a central server, so moving a user from one group to another would change their access rights across all repositories in the network.
This implementation may address the use case, though other implementations are still possible.
David Wilcox
Matthias Razum can you review my comments above in the context of this use case?