3.4.
Access Control
Up one level
Overview
The GRIA OGSA-DAI service uses PBAC (Process Based Access Control) to protect calls to its methods. The three important points of access control are:
- Access to the connectDataResource method (and the legacy connectDatabase method).
- Access to the createDataResource method (and the legacy createDatabase method).
- Permission to subscribe to individual database roles.
The first two points can be controlled under the "Permissions" heading on the web-based administration tool. Access to individual database roles can be set up either by clicking the "Permissions" link in the "Databases" section of the web interface, or by using the graphical GRIA client.
Controlling who can connect and create databases
In order to be able to call the connectDataResource / connectDatabase or createDataResource / createDatabase methods on the web service, a user must match the connect-dataresource or create-dataresource PBAC roles respectively. A user matches a PBAC role if he matches at least one Sufficient rule and no Deny rules. Rules are added and removed by using the web-based administration interface, under the "Permissions" heading.
Figure 1: Existing databases can only be connected by a user with the certificate pineau.it-innovation.soton.ac.uk. Nobody can create new databases.
Figure 2: All users can create new databases. Nobody can connect existing databases.
Note that users of the web-based administration interface can perform both these operations regardless of PBAC rules. So in the situation depicted by Figure 2 above, only the service provider can connect existing databases.
Controlling who can subscribe to database roles
By default, when a database role is created only the owner can see and subscribe to it. To allow others to subscribe to a database role the owner can either use the web-based administration interface if he is the service provider, or the graphical GRIA client.
Using the web-based interface
Click the "Permissions" button beside the role you wish to modify.
Figure 3: The permissions button beside a database role
This will open the PBAC administration page for that resource in a new window.
Figure 4: The PBAC administration page for a role resource
Rules can now be added to the access control list for the resource. Users are able to see and subscribe to a database role if they match the client role on the access control list. In the example in Figure 4 above, we have added a rule such that everyone can see and subscribe to this database role.
Using the graphical GRIA client
Left click the role you wish to modify and select "Load Access Control Rules".
Figure 5: Opening the access control list for a role resource
This will open a window displaying the current rules on the resource.
Figure 6: Adding a new rule to a resource
Rules can now be added to the access control list for the resource. Users are able to see and subscribe to a database role if they match the client role on the access control list. In the example in Figure 6 above, we are about to add a rule such that everyone can see and subscribe to this database role.
