€cdocutils.nodes document q)q}q(U nametypesq}q(XL763: authentication and authorization services are geographically replicatedqNX7795: system must support revocation of user permissionsqNX_772: authentication services should be compatible with existing infrastructure and applicationsqNX_770: authorization system should be able to express the pseudo-principal concepts like 'public'q NX8identity, authentication, and authorization requirementsq NXH392: identity and access control should be interoperable across datanetsq NX‹766: users should be able to easily assign proxy privileges to other users and to systems acting on their behalf for limited time durationsq NX@777: authorization rules should support common permission levelsq NX?820: common api for authentication and authorization operationsqNX0765: tools can access an api for authn and authzqNX\769: authorization should support critical roles, such as curators and system administratorsqNX<767: users need to be able to express embargo rules for dataqNXE391: enable different classes of users commensurate with their roles.qNX^768: need default authz policies that resolve problems associated with inaccessible principalsqNX/390: consistent mechanism for identifying usersqNXK393: access control rule evaluation must be highly scalable and responsive.qNXw761: users can specify authorization rules for data objects, science metadata objects, and process artifacts separatelyqNXR762: user identities can be derived from existing institutional directory servicesqNXG764: authentication and access control should be consistently availableqNX†771: user identities should have simple string serializations that express both the user identity and namespace from which it is drawnqNuUsubstitution_defsq}qUparse_messagesq]qUcurrent_sourceqNU decorationqNUautofootnote_startq KUnameidsq!}q"(hUGauthentication-and-authorization-services-are-geographically-replicatedq#hU2system-must-support-revocation-of-user-permissionsq$hUZauthentication-services-should-be-compatible-with-existing-infrastructure-and-applicationsq%h UXauthorization-system-should-be-able-to-express-the-pseudo-principal-concepts-like-publicq&h U6identity-authentication-and-authorization-requirementsq'h UCidentity-and-access-control-should-be-interoperable-across-datanetsq(h U†users-should-be-able-to-easily-assign-proxy-privileges-to-other-users-and-to-systems-acting-on-their-behalf-for-limited-time-durationsq)h U;authorization-rules-should-support-common-permission-levelsq*hU:common-api-for-authentication-and-authorization-operationsq+hU+tools-can-access-an-api-for-authn-and-authzq,hUVauthorization-should-support-critical-roles-such-as-curators-and-system-administratorsq-hU7users-need-to-be-able-to-express-embargo-rules-for-dataq.hU?enable-different-classes-of-users-commensurate-with-their-rolesq/hUYneed-default-authz-policies-that-resolve-problems-associated-with-inaccessible-principalsq0hU*consistent-mechanism-for-identifying-usersq1hUEaccess-control-rule-evaluation-must-be-highly-scalable-and-responsiveq2hUpusers-can-specify-authorization-rules-for-data-objects-science-metadata-objects-and-process-artifacts-separatelyq3hUMuser-identities-can-be-derived-from-existing-institutional-directory-servicesq4hUBauthentication-and-access-control-should-be-consistently-availableq5hUuser-identities-should-have-simple-string-serializations-that-express-both-the-user-identity-and-namespace-from-which-it-is-drawnq6uUchildrenq7]q8cdocutils.nodes section q9)q:}q;(U rawsourceqXu/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/AuthnAndAuthzRequirements.txtq?Utagnameq@UsectionqAU attributesqB}qC(UdupnamesqD]UclassesqE]UbackrefsqF]UidsqG]qHh'aUnamesqI]qJh auUlineqKKUdocumentqLhh7]qM(cdocutils.nodes title qN)qO}qP(hh?h@UtitleqRhB}qS(hD]hE]hF]hG]hI]uhKKhLhh7]qTcdocutils.nodes Text qUX8Identity, Authentication, and Authorization RequirementsqV…qW}qX(hNh@Utableq\hB}q](hD]hE]hF]hG]hI]uhKNhLhh7]q^cdocutils.nodes tgroup q_)q`}qa(hh?h@U paragraphqhB}q€(hD]hE]hF]hG]hI]uhKKh7]qhUXCategoryq‚…qƒ}q„(hh?h@hhB}q(hD]hE]hF]hG]hI]uhKK h7]qŽhUXRequirement IDq…q}q‘(hh?h@hhB}q¤(hD]hE]hF]hG]hI]uhKK h7]q¥hUXAPIq¦…q§}q¨(hh?h@hKhB}q·(hD]hE]hF]hG]hI]uhKKh7]q¸hUX0765: Tools can access an API for authn and authzq¹…qº}q»(hh?h@hKhB}q¿(hD]hE]hF]hG]hI]uhKKh7]qÀhUX?820: Common API for authentication and authorization operationsqÁ…qÂ}qÃ(hh?h@hhB}qÐ(hD]hE]hF]hG]hI]uhKKh7]qÑhUXAuthenticationqÒ…qÓ}qÔ(hh?h@hKhB}qà(hD]hE]hF]hG]hI]uhKKh7]qáhUXH392: Identity and access control should be interoperable across datanetsqâ…qã}qä(hh?h@hKhB}qè(hD]hE]hF]hG]hI]uhKKh7]qéhUXG764: Authentication and access control should be consistently availableqê…që}qì(hh?h@hKhB}qð(hD]hE]hF]hG]hI]uhKKh7]qñhUX0765: Tools can access an API for authn and authzqò…qó}qô(hh?h@hKhB}qø(hD]hE]hF]hG]hI]uhKKh7]qùhUX?820: Common API for authentication and authorization operationsqú…qû}qü(hh?h@hhB}r(hD]hE]hF]hG]hI]uhKKh7]r hUX Authorizationr …r }r (hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXK393: Access control rule evaluation must be highly scalable and responsive.r…r}r(hh?h@hKhB}r (hD]hE]hF]hG]hI]uhKKh7]r!hUXw761: Users can specify authorization rules for data objects, science metadata objects, and process artifacts separatelyr"…r#}r$(hh?h@hKhB}r((hD]hE]hF]hG]hI]uhKKh7]r)hUXG764: Authentication and access control should be consistently availabler*…r+}r,(hh?h@hKhB}r0(hD]hE]hF]hG]hI]uhKKh7]r1hUX0765: Tools can access an API for authn and authzr2…r3}r4(hh?h@hKhB}r8(hD]hE]hF]hG]hI]uhKKh7]r9hUX‹766: Users should be able to easily assign proxy privileges to other users and to systems acting on their behalf for limited time durationsr:…r;}r<(h(hh?h@hKhB}r@(hD]hE]hF]hG]hI]uhKKh7]rAhUX<767: Users need to be able to express embargo rules for datarB…rC}rD(hh?h@hKhB}rH(hD]hE]hF]hG]hI]uhKKh7]rIhUX^768: Need default authz policies that resolve problems associated with inaccessible principalsrJ…rK}rL(hh?h@hKhB}rP(hD]hE]hF]hG]hI]uhKKh7]rQhUX\769: Authorization should support critical roles, such as curators and system administratorsrR…rS}rT(hh?h@hKhB}rX(hD]hE]hF]hG]hI]uhKKh7]rYhUX_770: Authorization system should be able to express the pseudo-principal concepts like 'public'rZ…r[}r\(hh?h@hKhB}r`(hD]hE]hF]hG]hI]uhKKh7]rahUX_772: Authentication services should be compatible with existing infrastructure and applicationsrb…rc}rd(hh?h@hKhB}rh(hD]hE]hF]hG]hI]uhKKh7]rihUX@777: Authorization rules should support common permission levelsrj…rk}rl(hh?h@hKhB}rp(hD]hE]hF]hG]hI]uhKKh7]rqhUX7795: System must support revocation of user permissionsrr…rs}rt(hh?h@hKhB}rx(hD]hE]hF]hG]hI]uhKKh7]ryhUX?820: Common API for authentication and authorization operationsrz…r{}r|(hh?h@hKhB}r€(hD]hE]hF]hG]hI]uhKKh7]rhUXOxxx: Group Identifiers are equivalent to user identifiers in all ACL mechanismsr‚…rƒ}r„(hh?h@hKhB}rˆ(hD]hE]hF]hG]hI]uhKKh7]r‰hUXRxxx: Local sites/data owners have ability to generate, populate, and modify groupsrŠ…r‹}rŒ(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]r‘hUXQxxx: Group information can be replicated so that all MNs can see it and use it tor’…r“}r”(hh?h@hKhB}r›(hD]hE]hF]hG]hI]uhKKh7]rœhUX enforce ACLSr…rž}rŸ(hh?h@hKhB}r£(hD]hE]hF]hG]hI]uhKKh7]r¤hUX2xxx: Need clear use cases for administering groupsr¥…r¦}r§(hh?h@hKhB}r«(hD]hE]hF]hG]hI]uhKKh7]r¬hUXCxxx: Need clear business logic for replicating access control listsr­…r®}r¯(hh?h@hKhB}r³(hD]hE]hF]hG]hI]uhKKh7]r´hUXNxxx: Can access rules for Data Packages that cross operational bounds like MNsrµ…r¶}r·(hh?h@hKhB}r»(hD]hE]hF]hG]hI]uhKKh7]r¼hUXBxxx: System should support (and require?) transport-layer securityr½…r¾}r¿(hh?h@hKhB}rÃ(hD]hE]hF]hG]hI]uhKKh7]rÄhUXKxxx: Need ability/clear policies to transfer ownership of abandoned objectsrÅ…rÆ}rÇ(hh?h@hKhB}rË(hD]hE]hF]hG]hI]uhKKh7]rÌhUXUxxx: Support ability to use encryption to ensure restricted access from untrusted MNsrÍ…rÎ}rÏ(hh?h@hKhB}rÓ(hD]hE]hF]hG]hI]uhKKh7]rÔhUXGxxx: Can people with 'SetPermission' revoke access from original ownersrÕ…rÖ}r×(hh?h@hKhB}rÞ(hD]hE]hF]hG]hI]uhKKh7]rßhUXH-- also does revoking SetPermission priv also revoke the privs for theirrà…rá}râ(hh?h@hKhB}rå(hD]hE]hF]hG]hI]uhKKh7]ræhUXgranteesrç…rè}ré(hh?h@hKhB}rí(hD]hE]hF]hG]hI]uhKKh7]rîhUXTxxx: Need to establish the default set of permissions in absence of additional rolesrï…rð}rñ(hh?h@hKhB}rõ(hD]hE]hF]hG]hI]uhKKh7]röhUXQxxx: Need to ensure that deleted accounts can not be replaced by new users (i.e.,r÷…rø}rù(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUX)identities are globally unique over time)r…r}r(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]r hUXRxxx: Curator at institutional level has ability to create accounts for their groupr …r }r (hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUX(xxx: Sites have ability to create groupsr…r}r(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXTxxx: Sensitive data that is encrypted is generally not replicated except possibly tor…r}r(hh?h@hKhB}r#(hD]hE]hF]hG]hI]uhKKh7]r$hUX3avoid risks of leaks of that information (confused)r%…r&}r'(hh?h@hKhB}r+(hD]hE]hF]hG]hI]uhKKh7]r,hUXJxxx: Need process for data consumer to request authorization for an objectr-…r.}r/(hh?h@hKhB}r3(hD]hE]hF]hG]hI]uhKKh7]r4hUXExxx: Need process for data owner to receive and evaluate the requestsr5…r6}r7(hh?h@hKhB}r;(hD]hE]hF]hG]hI]uhKKh7]r<hUXOxxx: Need ability to create index of users so that clients can use that list tor=…r>}r?(hh?h@hKhB}rF(hD]hE]hF]hG]hI]uhKKh7]rGhUXQassign access control rules, and ability to look up Identity for particular usersrH…rI}rJ(hh?h@hKhB}rN(hD]hE]hF]hG]hI]uhKKh7]rOhUX@xxx: Should be able to assert write without read (controversial)rP…rQ}rR(hh?h@hKhB}rV(hD]hE]hF]hG]hI]uhKKh7]rWhUXAxxx: Users should be able to revoke their own access to an objectrX…rY}rZ(hh?h@hKhB}r^(hD]hE]hF]hG]hI]uhKKh7]r_hUXQxxx: Allow users to create organic, self-created groups (e.g., for a lab or team)r`…ra}rb(hh?h@hKhB}rf(hD]hE]hF]hG]hI]uhKKh7]rghUXWxxx: Should have a user profile page to review/revise a user's own identity, group, andrh…ri}rj(hh?h@hKhB}rq(hD]hE]hF]hG]hI]uhKKh7]rrhUXother Identity informationrs…rt}ru(hh?h@hKhB}ry(hD]hE]hF]hG]hI]uhKKh7]rzhUXIxxx: Nodes need to be able to assert minimum LOA re: who has write accessr{…r|}r}(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]r‚hUXQxxx: May have need for 'Deny' permissions on access for convenience (but probablyrƒ…r„}r…(hh?h@hKhB}rŒ(hD]hE]hF]hG]hI]uhKKh7]rhUXlower priority)rŽ…r}r(hh?h@hKhB}r”(hD]hE]hF]hG]hI]uhKKh7]r•hUX+xxx: People can modify access control rulesr–…r—}r˜(hh?h@hKhB}rœ(hD]hE]hF]hG]hI]uhKKh7]rhUXPxxx: Should be able to deposit content with embargo, but should be able to grantrž…rŸ}r (hh?h@hKhB}r§(hD]hE]hF]hG]hI]uhKKh7]r¨hUXOanonymous access tokens for access to the data without the owner knowing who itr©…rª}r«(hh?h@hKhB}r®(hD]hE]hF]hG]hI]uhKKh7]r¯hUXAwas that had access (use case for anonymous peer review in Dryad)r°…r±}r²(hh?h@hKhB}r¶(hD]hE]hF]hG]hI]uhKKh7]r·hUX0xxx: Need ability to query what I have access tor¸…r¹}rº(hh?h@hKhB}r¾(hD]hE]hF]hG]hI]uhKKh7]r¿hUXLxxx: co-ownership model for permissions is needed for handling co-authorshiprÀ…rÁ}rÂ(hh?h@hKhB}rÆ(hD]hE]hF]hG]hI]uhKKh7]rÇhUX*xxx: Should groups be able to own objects?rÈ…rÉ}rÊ(hh?h@hKhB}rÎ(hD]hE]hF]hG]hI]uhKKh7]rÏhUXSxxx: Need to restrict visibility to objects for which they don't have access in allrÐ…rÑ}rÒ(hh?h@hKhB}rÙ(hD]hE]hF]hG]hI]uhKKh7]rÚhUX)services (e.g., search, listObjects, etc)rÛ…rÜ}rÝ(hh?h@hKhB}rá(hD]hE]hF]hG]hI]uhKKh7]râhUXRxxx: Member nodes should be able to restrict data access by individuals on Dept ofrã…rä}rå(hh?h@hKhB}rì(hD]hE]hF]hG]hI]uhKKh7]ríhUXOCommerce Embargo lists at high LOAs -- possibly determine that we won't supportrî…rï}rð(hh?h@hKhB}ró(hD]hE]hF]hG]hI]uhKKh7]rôhUXJthis, but rather that we state these types of objects must not be uploadedrõ…rö}r÷(hh?h@hKhB}rû(hD]hE]hF]hG]hI]uhKKh7]rühUXIxxx: Anonymous access will be allowed for for publicly accessible objectsrý…rþ}rÿ(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXKxxx: Can groups contain groups, and at what nesting depth? Yes, one level.r…r}r(hh?h@hKhB}r (hD]hE]hF]hG]hI]uhKKh7]r hUXTxxx: ID and acces control should be easy to use and not present barriers to adoptionr …r}r(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXand user…r}r(hh?h@hKhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXHxxx: ID and access control should work in all geopolitical jurisdictionsr …r!}r"(hh?h@hKhB}r&(hD]hE]hF]hG]hI]uhKKh7]r'hUXHxxx: ID and access control should comply with universal design standardsr(…r)}r*(hh?h@hhB}r6(hD]hE]hF]hG]hI]uhKK\h7]r7hUXIdentityr8…r9}r:(hh­)r?}r@(hh?h@hKhB}rF(hD]hE]hF]hG]hI]uhKKh7]rGhUXH392: Identity and access control should be interoperable across datanetsrH…rI}rJ(hh?h@hhB}rV(hD]hE]hF]hG]hI]uhKKah7]rWhUXIdentityProvisionrX…rY}rZ(hh?h@hKhB}rf(hD]hE]hF]hG]hI]uhKKh7]rghUX/390: Consistent mechanism for identifying usersrh…ri}rj(hh?h@hKhB}rn(hD]hE]hF]hG]hI]uhKKh7]rohUXE391: Enable different classes of users commensurate with their roles.rp…rq}rr(hh?h@hKhB}rv(hD]hE]hF]hG]hI]uhKKh7]rwhUXR762: User identities can be derived from existing institutional directory servicesrx…ry}rz(hh?h@hKhB}r~(hD]hE]hF]hG]hI]uhKKh7]rhUX†771: User identities should have simple string serializations that express both the user identity and namespace from which it is drawnr€…r}r‚(hh?h@hhB}rŽ(hD]hE]hF]hG]hI]uhKKih7]rhUXInteroperabilityr…r‘}r’(hh?h@hKhB}rž(hD]hE]hF]hG]hI]uhKKh7]rŸhUXH392: Identity and access control should be interoperable across datanetsr …r¡}r¢(hh?h@hKhB}r¦(hD]hE]hF]hG]hI]uhKKh7]r§hUX0765: Tools can access an API for authn and authzr¨…r©}rª(hh?h@hKhB}r®(hD]hE]hF]hG]hI]uhKKh7]r¯hUX?820: Common API for authentication and authorization operationsr°…r±}r²(hh?h@hhB}r¾(hD]hE]hF]hG]hI]uhKKph7]r¿hUX PerformancerÀ…rÁ}rÂ(hh?h@hKhB}rÎ(hD]hE]hF]hG]hI]uhKKh7]rÏhUXK393: Access control rule evaluation must be highly scalable and responsive.rÐ…rÑ}rÒ(hh?h@hKhB}rÖ(hD]hE]hF]hG]hI]uhKKh7]r×hUXL763: Authentication and authorization services are geographically replicatedrØ…rÙ}rÚ(hh?h@hKhB}rÞ(hD]hE]hF]hG]hI]uhKKh7]rßhUXG764: Authentication and access control should be consistently availablerà…rá}râ(hh?h@hAhB}rç(hD]hE]hF]hG]rèh1ahI]réhauhKKyhLhh7]rê(hN)rë}rì(hh?h@hRhB}rî(hD]hE]hF]hG]hI]uhKKyhLhh7]rïhUX/390: Consistent mechanism for identifying usersrð…rñ}rò(hh?h@U field_liströhB}r÷(hD]hE]hF]hG]hI]uhKK{hLhh7]røcdocutils.nodes field rù)rú}rû(hh?h@UfieldrühB}rý(hD]hE]hF]hG]hI]uhKK{hLhh7]rþ(cdocutils.nodes field_name rÿ)r}r(hh?h@U field_namerhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXIDr…r}r(hh?h@hhB}r(hD]hE]hF]hG]hI]uhKK{h7]rcdocutils.nodes reference r)r}r(hh?h@hhB}r (hD]hE]hF]hG]hI]uhKK}hLhh7]r!hUXzIt is necessary to provide a mechanism for users to be identified in the DataONE system. There are several distinct roles that need to be supported for users.Rationale: Identity of users, contributors and other participants in DataONE is necessary to ensure appropriate policies for data sharing (read, write), attribution, and notification (e.g. subscription to types of data).r"…r#}r$(hh?h@hhB}r((hD]hE]hF]hG]hI]uhKKhLhh7]r)hUX Fit Criteriar*…r+}r,(hNh@U block_quoter0hB}r1(hD]hE]hF]hG]hI]uhKNhLhh7]r2cdocutils.nodes bullet_list r3)r4}r5(hh{)r?}r@(hh?h@hhB}rA(hD]hE]hF]hG]hI]uhKKh7]rBhUX3Users can identify themselves in the DataONE systemrC…rD}rE(hh?h@hhB}rN(hD]hE]hF]hG]hI]uhKK‚h7]rOhUXœIdentity is consistent across all nodes (i.e. identity associated with an object is consistent regardless of where the object is retrieved from or acted on)rP…rQ}rR(hh?h@hhB}rZ(hD]hE]hF]hG]hI]uhKKƒh7]r[hUX;Users can associate various accounts with a single identityr\…r]}r^(hh?h@hhB}rf(hD]hE]hF]hG]hI]uhKK„h7]rghUXOIdentity information is sufficient to ensure appropriate attribution to contentrh…ri}rj(hh?h@hhB}rr(hD]hE]hF]hG]hI]uhKK…h7]rshUX|Authentication and authorization mechanisms are recognized consistently by all participant nodes and services of the cicore.rt…ru}rv(hh?h@hhB}r~(hD]hE]hF]hG]hI]uhKK†h7]rhUXŠExisting user directories in use in environmental science community can directly contribute identities (not "yet another" identity system)r€…r}r‚(hh?h@hAhB}r†(hD]hE]hF]hG]r‡h/ahI]rˆhauhKK‹hLhh7]r‰(hN)rŠ}r‹(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKK‹hLhh7]rŽhUXE391: Enable different classes of users commensurate with their roles.r…r}r‘(hh?h@jöhB}r”(hD]hE]hF]hG]hI]uhKKhLhh7]r•jù)r–}r—(hh?h@jühB}r˜(hD]hE]hF]hG]hI]uhKKhLhh7]r™(jÿ)rš}r›(hh?h@jhB}r(hD]hE]hF]hG]hI]uhKKh7]ržhUXIDrŸ…r }r¡(hh?h@hhB}r©(hD]hE]hF]hG]hI]uhKKh7]rªj)r«}r¬(hh?h@hhB}rµ(hD]hE]hF]hG]hI]uhKKhLhh7]r¶(hUXÜThere are several types of users that will be interacting with the DataONE infrastructure, as such it is necessary to ensure that user roles can be supported by the identity management infrastructure. Closely related to r·…r¸}r¹(hh?h@hhB}rÅ(hD]hE]hF]hG]hI]uhKK‘hLhh7]rÆhUXpRationale: Different user classes or groups provides an effective mechanismfor indicating the types of interaction that might be supported by the system. The alternative is to specifically assign privileges for each user - an approach that is inefficient and potentially insecure as it is easy to miss an individual when setting privileges for a large number of users.rÇ…rÈ}rÉ(hNh@j0hB}rÌ(hD]hE]hF]hG]hI]uhKNhLhh7]rÍ(h{)rÎ}rÏ(hh?h@hhB}rÑ(hD]hE]hF]hG]hI]uhKK•h7]rÒhUX Fit CriteriarÓ…rÔ}rÕ(hh?h@hhB}rá(hD]hE]hF]hG]hI]uhKK—h7]râhUXƒA well defined set of standard groups is identified and can be easily manage (e.g. administrators, data contributors, data readers)rã…rä}rå(hh?h@hhB}rí(hD]hE]hF]hG]hI]uhKK™h7]rîhUX0Users can be assigned to and removed from groupsrï…rð}rñ(hh?h@hhB}rù(hD]hE]hF]hG]hI]uhKK›h7]rúhUXHAdditional groups can be created to support group functions as necessaryrû…rü}rý(hh?h@hhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXtUsers can create their own groups for ad-hoc collaboration when needed and without approval of system administratorsr…r}r (hh?h@hhB}r(hD]hE]hF]hG]hI]uhKKŸh7]rhUXKAccess control rules can be associated with groups and operate as expected.r…r}r(hh?h@hAhB}r(hD]hE]hF]hG]rh(ahI]rh auhKK£hLhh7]r(hN)r}r(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKK£hLhh7]r hUXH392: Identity and access control should be interoperable across datanetsr!…r"}r#(hh?h@jöhB}r&(hD]hE]hF]hG]hI]uhKK¥hLhh7]r'jù)r(}r)(hh?h@jühB}r*(hD]hE]hF]hG]hI]uhKK¥hLhh7]r+(jÿ)r,}r-(hh?h@jhB}r/(hD]hE]hF]hG]hI]uhKKh7]r0hUXIDr1…r2}r3(hh?h@hhB}r;(hD]hE]hF]hG]hI]uhKK¥h7]r<j)r=}r>(hh?h@hhB}rG(hD]hE]hF]hG]hI]uhKK§hLhh7]rHhUXTThere is a general requirement / suggestion by NSF that there should be interoperability between the various DataNet projects. Rationale: It seems like identity and access control is a good place where considerable value can be demonstrated to the user community if credentials and access control rules worked across the data net projects.rI…rJ}rK(hNh@Udefinition_listrOhB}rP(hD]hE]hF]hG]hI]uhKNhLhh7]rQcdocutils.nodes definition_list_item rR)rS}rT(hh?h@Udefinition_list_itemrUhB}rV(hD]hE]hF]hG]hI]uhKK«h7]rW(cdocutils.nodes term rX)rY}rZ(hh?h@Utermr\hB}r](hD]hE]hF]hG]hI]uhKK«h7]r^hUX Fit Criteriar_…r`}ra(hh?h@hhB}rr(hD]hE]hF]hG]hI]uhKKªh7]rshUX<Users can sign into DataONE and DC with the same credentialsrt…ru}rv(hh?h@hhB}r~(hD]hE]hF]hG]hI]uhKK«h7]rhUXdOnce signed in to DataONE, access to DC services is seamless (no additional authentication required)r€…r}r‚(hh?h@hAhB}r†(hD]hE]hF]hG]r‡h2ahI]rˆhauhKK®hLhh7]r‰(hN)rŠ}r‹(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKK®hLhh7]rŽhUXK393: Access control rule evaluation must be highly scalable and responsive.r…r}r‘(hh?h@jöhB}r”(hD]hE]hF]hG]hI]uhKK°hLhh7]r•jù)r–}r—(hh?h@jühB}r˜(hD]hE]hF]hG]hI]uhKK°hLhh7]r™(jÿ)rš}r›(hh?h@jhB}r(hD]hE]hF]hG]hI]uhKKh7]ržhUXIDrŸ…r }r¡(hh?h@hhB}r©(hD]hE]hF]hG]hI]uhKK°h7]rªj)r«}r¬(hh?h@hhB}rµ(hD]hE]hF]hG]hI]uhKK²hLhh7]r¶hUX8Access control for objects is evaluated for every object access in the DataONE infrastructure. As such, the mechanisms used to determine if a particular token (i.e. handle to an authenticated principle) must be very efficient and should not offer a barrier to the desired levels of access control in the system.r·…r¸}r¹(hh?h@hhB}r½(hD]hE]hF]hG]hI]uhKK´hLhh7]r¾hUX Rationaler¿…rÀ}rÁ(hh?h@hhB}rÅ(hD]hE]hF]hG]hI]uhKK¶hLhh7]rÆhUXeAccess control should not be an impediment to effective use of the content available through DataONE.rÇ…rÈ}rÉ(hh?h@hhB}rÍ(hD]hE]hF]hG]hI]uhKK¸hLhh7]rÎhUX Fit CriteriarÏ…rÐ}rÑ(hNh@j0hB}rÔ(hD]hE]hF]hG]hI]uhKNhLhh7]rÕj3)rÖ}r×(hh?h@hhB}rá(hD]hE]hF]hG]hI]uhKKºh7]râhUXTAccess control rules can be evaluted for any token in an average of xxx millisecondsrã…rä}rå(hh?h@hhB}rí(hD]hE]hF]hG]hI]uhKK¼h7]rîhUXKAccess control rules must not take longer than xxx milliseconds to evaluaterï…rð}rñ(hh?h@hhB}rù(hD]hE]hF]hG]hI]uhKK¾h7]rúhUXUAccess control must not block critical operations (e.g replications, synchronization)rû…rü}rý(hh?h@hAhB}r(hD]hE]hF]hG]rh3ahI]rhauhKKÄhLhh7]r(hN)r}r(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKKÄhLhh7]rhUXw761: Users can specify authorization rules for data objects, science metadata objects, and process artifacts separatelyr …r }r (hh?h@jöhB}r(hD]hE]hF]hG]hI]uhKKÆhLhh7]rjù)r}r(hh?h@jühB}r(hD]hE]hF]hG]hI]uhKKÆhLhh7]r(jÿ)r}r(hh?h@jhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXIDr…r}r(hh?h@hhB}r#(hD]hE]hF]hG]hI]uhKKÆh7]r$j)r%}r&(hh?h@hhB}r/(hD]hE]hF]hG]hI]uhKKÈhLhh7]r0hUXPUsers might be able to upload data and science metadata as an atomic operation, but each should be identified separately and access control rules should apply to the objects separately. For example, a user could grant public read access to a metadata object but only grant read access to certain colleagues for associated data objects.r1…r2}r3(hh?h@hhB}r7(hD]hE]hF]hG]hI]uhKKÊhLhh7]r8hUX´Rationale: Enabling access control at the same level of granularity of objects in the system ensures that complete control over object conglomerations (packages, etc) is available.r9…r:}r;(hNh@jOhB}r>(hD]hE]hF]hG]hI]uhKNhLhh7]r?jR)r@}rA(hh?h@jUhB}rB(hD]hE]hF]hG]hI]uhKKÐh7]rC(jX)rD}rE(hh?h@j\hB}rG(hD]hE]hF]hG]hI]uhKKÐh7]rHhUX Fit CriteriarI…rJ}rK(hh?h@hhB}r[(hD]hE]hF]hG]hI]uhKKÎh7]r\hUX3All objects in the system have access control rulesr]…r^}r_(hh?h@hhB}rf(hD]hE]hF]hG]hI]uhKKÏh7]rg(hUXmSeparate rules can be associated with the elements of a package during operations at the package level (e.g. rh…ri}rj(hh?h@hAhB}rx(hD]hE]hF]hG]ryh4ahI]rzhauhKKÓhLhh7]r{(hN)r|}r}(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKKÓhLhh7]r€hUXR762: User identities can be derived from existing institutional directory servicesr…r‚}rƒ(hh?h@jöhB}r†(hD]hE]hF]hG]hI]uhKKÕhLhh7]r‡jù)rˆ}r‰(hh?h@jühB}rŠ(hD]hE]hF]hG]hI]uhKKÕhLhh7]r‹(jÿ)rŒ}r(hh?h@jhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXIDr‘…r’}r“(hh?h@hhB}r›(hD]hE]hF]hG]hI]uhKKÕh7]rœj)r}rž(hh?h@hhB}r§(hD]hE]hF]hG]hI]uhKK×hLhh7]r¨hUXHMany existing directory services are in use in the environmental sciences, and participating member nodes should be able to expose their directories through a standardized mechanism to allow users to make use of existing identities. For example, the KNB LDAP server is a federation of multiple LDAP systems from around the world, and these identities have been used in access rules for many existing objects.Rationale: Re-use of existing infrastructure reduces cost of participation and minimizes confusion over which accounts to use and which rules are associated with what account.r©…rª}r«(hh?h@hhB}r¯(hD]hE]hF]hG]hI]uhKKÙhLhh7]r°hUX Fit Criteriar±…r²}r³(hNh@j0hB}r¶(hD]hE]hF]hG]hI]uhKNhLhh7]r·j3)r¸}r¹(hh?h@hhB}rÃ(hD]hE]hF]hG]hI]uhKKÛh7]rÄ(hUXÇThe system provides a mechanism for exsiting directory services to join * The system provides a namespacing mechanism to differentiate users with the same id in different original directories (e.g., rÅ…rÆ}rÇ(hh?h@hhB}râ(hD]hE]hF]hG]hI]uhKKÜh7]rãhUXAThe same email address can be associated with multiple identitiesrä…rå}ræ(hh?h@hhB}rî(hD]hE]hF]hG]hI]uhKKÝh7]rïhUX9The same person or system can possess multiple identitiesrð…rñ}rò(hh?h@hhB}rú(hD]hE]hF]hG]hI]uhKKÞh7]rûhUX¸If a user has multiple identities, the user can express equivalence rules that indicate that they are linked, equivalent identities for the purposes of authentication and authorizationrü…rý}rþ(hh?h@hAhB}r(hD]hE]hF]hG]rh#ahI]rhauhKKâhLhh7]r(hN)r}r(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKKâhLhh7]r hUXL763: Authentication and authorization services are geographically replicatedr …r }r (hh?h@jöhB}r(hD]hE]hF]hG]hI]uhKKähLhh7]rjù)r}r(hh?h@jühB}r(hD]hE]hF]hG]hI]uhKKähLhh7]r(jÿ)r}r(hh?h@jhB}r(hD]hE]hF]hG]hI]uhKKh7]rhUXIDr…r}r(hh?h@hhB}r$(hD]hE]hF]hG]hI]uhKKäh7]r%j)r&}r'(hh?h@hhB}r0(hD]hE]hF]hG]hI]uhKKæhLhh7]r1hUX@Authentication and authorization are critical services that can not afford geographic delays, especially across continents, in order to allow adequate responsiveness. Users and developers of services should not have to know which authentication service is used (i.e. a load balancing and failover solution from a centralized address (probably the coordinating node address) should be able to access any of the replicated services. Replicas should be located at multiple trusted sites (probably coordinating nodes) that are geographically distributed (incl. across continents)r2…r3}r4(hh?h@hhB}r8(hD]hE]hF]hG]hI]uhKKèhLhh7]r9hUX Fit Criteriar:…r;}r<(h(hNh@j0hB}r?(hD]hE]hF]hG]hI]uhKNhLhh7]r@j3)rA}rB(hh?h@hhB}rL(hD]hE]hF]hG]hI]uhKKêh7]rMhUX\Authentication operations should be less than xxx milliseconds from any point in the networkrN…rO}rP(hh?h@hhB}rX(hD]hE]hF]hG]hI]uhKKìh7]rYhUXSReplicas of authentication and authorization services are geographically replicatedrZ…r[}r\(hh?h@hhB}rd(hD]hE]hF]hG]hI]uhKKîh7]rehUXQFailover across replicated services is automatic without client-side interventionrf…rg}rh(hh?h@hAhB}rk(hD]hE]hF]hG]rlh5ahI]rmhauhKKòhLhh7]rn(hN)ro}rp(hh?h@hRhB}rr(hD]hE]hF]hG]hI]uhKKòhLhh7]rshUXG764: Authentication and access control should be consistently availablert…ru}rv(hh?h@jöhB}ry(hD]hE]hF]hG]hI]uhKKôhLhh7]rzjù)r{}r|(hh?h@jühB}r}(hD]hE]hF]hG]hI]uhKKôhLhh7]r~(jÿ)r}r€(hh?h@jhB}r‚(hD]hE]hF]hG]hI]uhKKh7]rƒhUXIDr„…r…}r†(hh?h@hhB}rŽ(hD]hE]hF]hG]hI]uhKKôh7]rj)r}r‘(hh?h@hhB}rš(hD]hE]hF]hG]hI]uhKKöhLhh7]r›hUX¦Authentication and authorization are a critical infrastructure bottleneck, and should be consistently available, likely through load balancing and failover solutions.rœ…r}rž(hh?h@hhB}r¢(hD]hE]hF]hG]hI]uhKKøhLhh7]r£hUX Fit Criteriar¤…r¥}r¦(hNh@j0hB}r©(hD]hE]hF]hG]hI]uhKNhLhh7]rªj3)r«}r¬(hh?h@hhB}r¶(hD]hE]hF]hG]hI]uhKKúh7]r·hUX@Authn and Authz should be available xx.xxxxx% (To be determined)r¸…r¹}rº(hh?h@hAhB}r½(hD]hE]hF]hG]r¾h,ahI]r¿hauhKKþhLhh7]rÀ(hN)rÁ}rÂ(hh?h@hRhB}rÄ(hD]hE]hF]hG]hI]uhKKþhLhh7]rÅhUX0765: Tools can access an API for authn and authzrÆ…rÇ}rÈ(hh?h@jöhB}rË(hD]hE]hF]hG]hI]uhKMhLhh7]rÌjù)rÍ}rÎ(hh?h@jühB}rÏ(hD]hE]hF]hG]hI]uhKMhLhh7]rÐ(jÿ)rÑ}rÒ(hh?h@jhB}rÔ(hD]hE]hF]hG]hI]uhKKh7]rÕhUXIDrÖ…r×}rØ(hh?h@hhB}rà(hD]hE]hF]hG]hI]uhKMh7]ráj)râ}rã(hh?h@hhB}rì(hD]hE]hF]hG]hI]uhKMhLhh7]ríhUXîA standardized API allows us to build interoperable tools, and adapt existing tools to interoperate with the DataNets. All infrastructure components should be able to use these services, including CNs, MNs, and client tools and libraries.rî…rï}rð(hh?h@hhB}rô(hD]hE]hF]hG]hI]uhKMhLhh7]rõhUX Fit Criteriarö…r÷}rø(hNh@j0hB}rû(hD]hE]hF]hG]hI]uhKNhLhh7]rüj3)rý}rþ(hh?h@hhB}r(hD]hE]hF]hG]hI]uhKMh7]r hUXPDemonstrated interoperability of the API across 3 client and member node systemsr …r }r (hh?h@hAhB}r(hD]hE]hF]hG]rh)ahI]rh auhKM hLhh7]r(hN)r}r(hh?h@hRhB}r(hD]hE]hF]hG]hI]uhKM hLhh7]rhUX‹766: Users should be able to easily assign proxy privileges to other users and to systems acting on their behalf for limited time durationsr…r}r (hh?h@jöhB}r#(hD]hE]hF]hG]hI]uhKMhLhh7]r$jù)r%}r&(hh?h@jühB}r'(hD]hE]hF]hG]hI]uhKMhLhh7]r((jÿ)r)}r*(hh?h@jhB}r,(hD]hE]hF]hG]hI]uhKKh7]r-hUXIDr.…r/}r0(hh?h@hhB}r8(hD]hE]hF]hG]hI]uhKMh7]r9j)r:}r;(h…r?}r@(hh?h@hhB}rD(hD]hE]hF]hG]hI]uhKMhLhh7]rEhUXŽWhen users need to execute processes asynchronously, they need to be able to grant proxy privileges (e.g., to a workflow or grid system) to operate on their behalf in particular contexts. In addition, at times some users want others to be able to run and access data and operate on behalf of another, such as in a faculty student situation where the student acts as a proxy for the faculty member.rF…rG}rH(hh?h@hhB}rL(hD]hE]hF]hG]hI]uhKMhLhh7]rMhUX Fit CriteriarN…rO}rP(hNh@j0hB}rS(hD]hE]hF]hG]hI]uhKNhLhh7]rTj3)rU}rV(hh?h@hAhB}rd(hD]hE]hF]hG]reh.ahI]rfhauhKMhLhh7]rg(hN)rh}ri(hh?h@hRhB}rk(hD]hE]hF]hG]hI]uhKMhLhh7]rlhUX<767: Users need to be able to express embargo rules for datarm…rn}ro(hh?h@jöhB}rr(hD]hE]hF]hG]hI]uhKMhLhh7]rsjù)rt}ru(hh?h@jühB}rv(hD]hE]hF]hG]hI]uhKMhLhh7]rw(jÿ)rx}ry(hh?h@jhB}r{(hD]hE]hF]hG]hI]uhKKh7]r|hUXIDr}…r~}r(hh?h@hhB}r‡(hD]hE]hF]hG]hI]uhKMh7]rˆj)r‰}rŠ(hh?h@hhB}r“(hD]hE]hF]hG]hI]uhKMhLhh7]r”hUXsThese embargo rules allow data to be published in the system, but not released until a particular date. By operating this way, users can use the system in their daily management of their data without worry of losing track of publication of the data at a later date. It encourages people to start using the system even long before they want to publicly release the data.r•…r–}r—(hh?h@hhB}r›(hD]hE]hF]hG]hI]uhKM hLhh7]rœhUX Fit Criteriar…rž}rŸ(hNh@j0hB}r¢(hD]hE]hF]hG]hI]uhKNhLhh7]r£j3)r¤}r¥(hh?h@hAhB}r³(hD]hE]hF]hG]r´h0ahI]rµhauhKM(hLhh7]r¶(hN)r·}r¸(hh?h@hRhB}rº(hD]hE]hF]hG]hI]uhKM(hLhh7]r»hUX^768: Need default authz policies that resolve problems associated with inaccessible principalsr¼…r½}r¾(hh?h@jöhB}rÁ(hD]hE]hF]hG]hI]uhKM*hLhh7]rÂjù)rÃ}rÄ(hh?h@jühB}rÅ(hD]hE]hF]hG]hI]uhKM*hLhh7]rÆ(jÿ)rÇ}rÈ(hh?h@jhB}rÊ(hD]hE]hF]hG]hI]uhKKh7]rËhUXIDrÌ…rÍ}rÎ(hh?h@hhB}rÖ(hD]hE]hF]hG]hI]uhKM*h7]r×j)rØ}rÙ(hh?h@hhB}râ(hD]hE]hF]hG]hI]uhKM,hLhh7]rãhUX‘When principals die, retire, change careers, or lose interest in a research area, they may leave in the system data objects that would be otherwise useful to science but are restricted access. The authorization system should have carefully crafted default policies that encourage the public release and sharing of data, the expiration of embargo periods, and the movement of data into the public domain when it is legal and ethical to do so. Principals should be able to override these defaults to create more restrictive policies (e.g., for human subjects data) that will be respected indefinitely, but the defaults should encourage openness and sharing.rä…rå}ræ(hh?h@hhB}rê(hD]hE]hF]hG]hI]uhKM.hLhh7]rëhUX Fit Criteriarì…rí}rî(hNh@j0hB}rñ(hD]hE]hF]hG]hI]uhKNhLhh7]ròj3)ró}rô(hh?h@hhB}rþ(hD]hE]hF]hG]hI]uhKM0h7]rÿhUXuDefaults encourage openness and sharing, without alienating principals through unexpected release of their data, etc.r …r }r (hh?h@hAhB}r (hD]hE]hF]hG]r h-ahI]r hauhKM4hLhh7]r (hN)r }r (hh?h@hRhB}r (hD]hE]hF]hG]hI]uhKM4hLhh7]r hUX\769: Authorization should support critical roles, such as curators and system administratorsr …r }r (hh?h@jöhB}r (hD]hE]hF]hG]hI]uhKM6hLhh7]r jù)r }r (hh?h@jühB}r (hD]hE]hF]hG]hI]uhKM6hLhh7]r (jÿ)r }r (hh?h@jhB}r (hD]hE]hF]hG]hI]uhKKh7]r hUXIDr …r }r (hh?h@hhB}r( (hD]hE]hF]hG]hI]uhKM6h7]r) j)r* }r+ (hh?h@hhB}r4 (hD]hE]hF]hG]hI]uhKM8hLhh7]r5 hUXýWhile the principals contributing data should be able to specify access, they frequently struggle with the software systems intended to do so, and at times make mistakes. The system should support certain roles with elevated privielges for groups of objects to allow, e.g, a system administrator or data curator to change objects for which they are not otherwise granted access. For example, all objects that are associated with a particular field station might be managed by the information manager at that field station, and the person filling that role through time might change. Individual principals should be able to determine who has access to objects, both through explicit grants of access and through indirect roles that may be only implicitly defined.r6 …r7 }r8 (hh?h@hhB}r< (hD]hE]hF]hG]hI]uhKM:hLhh7]r= hUX Fit Criteriar> …r? }r@ (hNh@j0hB}rC (hD]hE]hF]hG]hI]uhKNhLhh7]rD j3)rE }rF (hh?h@hhB}rP (hD]hE]hF]hG]hI]uhKM<h7]rQ hUX‘Its possible for access by some roles to be assigned implicitly through certain membership criteria (e.g., a data object is part of an LTER site)rR …rS }rT (hh?h@hAhB}rW (hD]hE]hF]hG]rX h&ahI]rY h auhKM@hLhh7]rZ (hN)r[ }r\ (hh?h@hRhB}r^ (hD]hE]hF]hG]hI]uhKM@hLhh7]r_ hUX_770: Authorization system should be able to express the pseudo-principal concepts like 'public'r` …ra }rb (hh?h@jöhB}re (hD]hE]hF]hG]hI]uhKMBhLhh7]rf jù)rg }rh (hh?h@jühB}ri (hD]hE]hF]hG]hI]uhKMBhLhh7]rj (jÿ)rk }rl (hh?h@jhB}rn (hD]hE]hF]hG]hI]uhKKh7]ro hUXIDrp …rq }rr (hh?h@hhB}rz (hD]hE]hF]hG]hI]uhKMBh7]r{ j)r| }r} (hh?h@hhB}r† (hD]hE]hF]hG]hI]uhKMDhLhh7]r‡ hUX•There should be well-known mechanisms in the authorization system to allow access rules that explicitly grant access to pseudo-principals, including:rˆ …r‰ }rŠ (hNh@j0hB}r (hD]hE]hF]hG]hI]uhKNhLhh7]rŽ j3)r }r (hh?h@hhB}rš (hD]hE]hF]hG]hI]uhKMFh7]r› hUX*public: anonymous, non-authenticated usersrœ …r }rž (hh?h@hhB}r¦ (hD]hE]hF]hG]hI]uhKMGh7]r§ hUXvalid-user: authenticated userr¨ …r© }rª (hh?h@hhB}r² (hD]hE]hF]hG]hI]uhKMHh7]r³ hUXMregistered-user: authenticated user with explicit minimal contact informationr´ …rµ }r¶ (hh?h@hhB}r¾ (hD]hE]hF]hG]hI]uhKMIh7]r¿ hUXˆverified-user: authenticated user with explicit minimal contact information that has been verified as belonging to a real account holderrÀ …rÁ }r (hh?h@hhB}rÆ (hD]hE]hF]hG]hI]uhKMKhLhh7]rÇ hUX Fit CriteriarÈ …rÉ }rÊ (hNh@j0hB}rÍ (hD]hE]hF]hG]hI]uhKNhLhh7]rÎ j3)rÏ }rÐ (hh?h@hAhB}rØ (hD]hE]hF]hG]rÙ h6ahI]rÚ hauhKMQhLhh7]rÛ (hN)rÜ }rÝ (hh?h@hRhB}rß (hD]hE]hF]hG]hI]uhKMQhLhh7]rà hUX†771: User identities should have simple string serializations that express both the user identity and namespace from which it is drawnrá …râ }rã (hh?h@jöhB}ræ (hD]hE]hF]hG]hI]uhKMShLhh7]rç jù)rè }ré (hh?h@jühB}rê (hD]hE]hF]hG]hI]uhKMShLhh7]rë (jÿ)rì }rí (hh?h@jhB}rï (hD]hE]hF]hG]hI]uhKKh7]rð hUXIDrñ …rò }ró (hh?h@hhB}rû (hD]hE]hF]hG]hI]uhKMSh7]rü j)rý }rþ (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKMUhLhh7]r hUXÃWhen user identities can be drawn from multiple providers, we need to be able to serialize both the id and the provider namespace, for example by encapsulating both in a single distinguished name (DN). Ideally this serialization would be relatively short, persistent, and human understandable, and ideally it should not contain spaces or other characters that make it difficult to utilize in a variety of contexts (such as command line applications).r …r }r (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKMWhLhh7]r hUX5An example DN that has worked for the KNB network is:r …r }r (hh?h@j0hB}r (hD]hE]hF]hG]hI]uhKNhLhh7]r h{)r }r (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKMYh7]r hUX*uid=jones,o=NCEAS,dc=ecoinformatics,dc=orgr …r }r (hh?h@hhB}r# (hD]hE]hF]hG]hI]uhKM[hLhh7]r$ hUX Fit Criteriar% …r& }r' (hNh@j0hB}r* (hD]hE]hF]hG]hI]uhKNhLhh7]r+ j3)r, }r- (hh?h@hAhB}r; (hD]hE]hF]hG]r< h%ahI]r= hauhKMchLhh7]r> (hN)r? }r@ (hh?h@hRhB}rB (hD]hE]hF]hG]hI]uhKMchLhh7]rC hUX_772: Authentication services should be compatible with existing infrastructure and applicationsrD …rE }rF (hh?h@jöhB}rI (hD]hE]hF]hG]hI]uhKMehLhh7]rJ jù)rK }rL (hh?h@jühB}rM (hD]hE]hF]hG]hI]uhKMehLhh7]rN (jÿ)rO }rP (hh?h@jhB}rR (hD]hE]hF]hG]hI]uhKKh7]rS hUXIDrT …rU }rV (hh?h@hhB}r^ (hD]hE]hF]hG]hI]uhKMeh7]r_ j)r` }ra (hh?h@hhB}rj (hD]hE]hF]hG]hI]uhKMghLhh7]rk hUX6Many applications will need to be adapted to work with the authentication and authorization services provided. Ideally, the services chosen will be compatible with existing systems and support those systems through standard protocols. Applications will need to commonly connect to, for example, web applications using HTTP Basic Authentication for Apache and JAAS for servlets like Tomcat. In addition, some applications may want to connect via PAM and similar security mechanisms. Some identity services, such as LDAP, are commonly supported in these scenarios.rl …rm }rn (hNh@jOhB}rq (hD]hE]hF]hG]hI]uhKNhLhh7]rr jR)rs }rt (hh?h@jUhB}ru (hD]hE]hF]hG]hI]uhKMjh7]rv (jX)rw }rx (hh?h@j\hB}rz (hD]hE]hF]hG]hI]uhKMjh7]r{ hUX Fit Criteriar| …r} }r~ (hh?h@hhB}rŽ (hD]hE]hF]hG]hI]uhKMjh7]r hUXŸSoftware in common use at Member Nodes and as clients should be able to easily utilize the authentication and authorization services with minimal configurationr …r‘ }r’ (hh?h@hAhB}r• (hD]hE]hF]hG]r– h*ahI]r— h auhKMmhLhh7]r˜ (hN)r™ }rš (hh?h@hRhB}rœ (hD]hE]hF]hG]hI]uhKMmhLhh7]r hUX@777: Authorization rules should support common permission levelsrž …rŸ }r  (hh?h@jöhB}r£ (hD]hE]hF]hG]hI]uhKMohLhh7]r¤ jù)r¥ }r¦ (hh?h@jühB}r§ (hD]hE]hF]hG]hI]uhKMohLhh7]r¨ (jÿ)r© }rª (hh?h@jhB}r¬ (hD]hE]hF]hG]hI]uhKKh7]r­ hUXIDr® …r¯ }r° (hh?h@hhB}r¸ (hD]hE]hF]hG]hI]uhKMoh7]r¹ j)rº }r» (hh?h@hhB}rÄ (hD]hE]hF]hG]hI]uhKMqhLhh7]rÅ hUXÌSeveral types of access directives are in common use in data packages in the environmental sciences, and the authorization system should support these. The most common authorization levels would include:rÆ …rÇ }rÈ (hNh@j0hB}rË (hD]hE]hF]hG]hI]uhKNhLhh7]rÌ j3)rÍ }rÎ (hh?h@hhB}rØ (hD]hE]hF]hG]hI]uhKMsh7]rÙ hUX2read: the ability to display or download an objectrÚ …rÛ }rÜ (hh?h@hhB}rä (hD]hE]hF]hG]hI]uhKMuh7]rå hUXÁwrite: the ability to change the content of an object through an update operation (which does not mean it actually changes the object -- it may just create a new version that obsoletes the old)ræ …rç }rè (hh?h@hhB}rð (hD]hE]hF]hG]hI]uhKMwh7]rñ hUXJchangePermission: the ability to change access control rules on the objectrò …ró }rô (hh?h@hhB}rø (hD]hE]hF]hG]hI]uhKMyhLhh7]rù hUX¢Often, the permission levels are nested, in that higher privilege levels encompass the lower levels as well (e.g., write access to an object implies read access).rú …rû }rü (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKM{hLhh7]r hUXaSee the EML access control module for a detailed explanation of these levels (eml-access module).r …r }r (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKM}hLhh7]r hUXVIn addition to specifying levels of permissions on the individual data objects, the authorization system should allow node administrators to specify what services principals can utilize on their nodes, and any resource constraints that may apply. For example, a Member Node operator may want to specify for their node several rules, such as:r …r }r (hNh@j0hB}r (hD]hE]hF]hG]hI]uhKNhLhh7]r j3)r }r (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKMh7]r hUX0user joe can insert or update objects on node 32r …r }r (hh?h@hhB}r( (hD]hE]hF]hG]hI]uhKMh7]r) hUX+user jack can not update objects on node 21r* …r+ }r, (hh?h@hhB}r4 (hD]hE]hF]hG]hI]uhKMƒh7]r5 hUXcuser joe has an aggregate storage limit of 1TB (may want to consider soft and hard resource limits)r6 …r7 }r8 (h (hh?h@hhB}r@ (hD]hE]hF]hG]hI]uhKM…h7]rA hUX9user joe has a network bandwidth transfer limit of 10mb/srB …rC }rD (hh?h@hhB}rH (hD]hE]hF]hG]hI]uhKM‡hLhh7]rI hUXàNote that these types of node-level resource limitations may not be implemented currently on most member nodes, but the authorization system should be expressive enough to allow node operators to build in these restrictions.rJ …rK }rL (hh?h@hAhB}rO (hD]hE]hF]hG]rP h$ahI]rQ hauhKM‹hLhh7]rR (hN)rS }rT (hh?h@hRhB}rV (hD]hE]hF]hG]hI]uhKM‹hLhh7]rW hUX7795: System must support revocation of user permissionsrX …rY }rZ (hh?h@jöhB}r] (hD]hE]hF]hG]hI]uhKMhLhh7]r^ jù)r_ }r` (hh?h@jühB}ra (hD]hE]hF]hG]hI]uhKMhLhh7]rb (jÿ)rc }rd (hh?h@jhB}rf (hD]hE]hF]hG]hI]uhKKh7]rg hUXIDrh …ri }rj (hh?h@hhB}rr (hD]hE]hF]hG]hI]uhKMh7]rs j)rt }ru (hh?h@hhB}r~ (hD]hE]hF]hG]hI]uhKMhLhh7]r hUXœThe system should be able to revoke any user's permissions and, ultimately, their direct access to the system, if the user is misbehaving within the system.r€ …r }r‚ (hh?h@hhB}r† (hD]hE]hF]hG]hI]uhKM‘hLhh7]r‡ hUXMAlthough it is unclear as to who assigns permissions, I believe that the final responsibility and authority for access control is the DataONE administrator. As such, permissions and simple access to any part of the DataONE infrastructure, and perhaps member node infrastructure that is accessed through DataONE, should be revokable.rˆ …r‰ }rŠ (hh?h@hhB}rŽ (hD]hE]hF]hG]hI]uhKM“hLhh7]r hUX Fit Criteriar …r‘ }r’ (hh?h@jƒhB}r• (j7X*hG]hF]hD]hE]hI]uhKM•hLhh7]r– (j9)r— }r˜ (hAdministrator can change permissions for a user for any objectr™ h=j“ h>h?h@jFhB}rš (hD]hE]hF]hG]hI]uhKNhLhh7]r› h{)rœ }r (hh?h@hhB}rž (hD]hE]hF]hG]hI]uhKM•h7]rŸ hUX>Administrator can change permissions for a user for any objectr  …r¡ }r¢ (hh?h@jFhB}r¦ (hD]hE]hF]hG]hI]uhKNhLhh7]r§ h{)r¨ }r© (hh?h@hhB}rª (hD]hE]hF]hG]hI]uhKM–h7]r« hUXGPermission changes are propagated through the system within XXX secondsr¬ …r­ }r® (hh?h@jFhB}r± (hD]hE]hF]hG]hI]uhKNhLhh7]r² h{)r³ }r´ (hh?h@hhB}r¶ (hD]hE]hF]hG]hI]uhKM—h7]r· hUXPRead, write access rules can be altered for a user for all content in the systemr¸ …r¹ }rº (hh?h@hAhB}r½ (hD]hE]hF]hG]r¾ h+ahI]r¿ hauhKMšhLhh7]rÀ (hN)rÁ }r (hh?h@hRhB}rÄ (hD]hE]hF]hG]hI]uhKMšhLhh7]rÅ hUX?820: Common API for authentication and authorization operationsrÆ …rÇ }rÈ (hh?h@jöhB}rË (hD]hE]hF]hG]hI]uhKMœhLhh7]rÌ jù)rÍ }rÎ (hh?h@jühB}rÏ (hD]hE]hF]hG]hI]uhKMœhLhh7]rÐ (jÿ)rÑ }rÒ (hh?h@jhB}rÔ (hD]hE]hF]hG]hI]uhKKh7]rÕ hUXIDrÖ …r× }rØ (hh?h@hhB}rà (hD]hE]hF]hG]hI]uhKMœh7]rá j)râ }rã (hh?h@hhB}rì (hD]hE]hF]hG]hI]uhKMžhLhh7]rí hUX¬There should be a common API utilized by the major software components of the infrastructure for DataONE (for all DataNet?) for authentication and authorization operations.rî …rï }rð (hh?h@hhB}rô (hD]hE]hF]hG]hI]uhKM hLhh7]rõ hUX Rationalerö …r÷ }rø (hh?h@hhB}rü (hD]hE]hF]hG]hI]uhKM¢hLhh7]rý hUX‹A common API will help minimize inconsistencies that arise from functional and semantic mis-match when interacting across multiple systems.rþ …rÿ }r (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKM¤hLhh7]r hUX Fit Criteriar …r }r (hNh@j0hB}r (hD]hE]hF]hG]hI]uhKNhLhh7]r j3)r }r (hh?h@hhB}r (hD]hE]hF]hG]hI]uhKM¦h7]r hUX@CN, MN, and ITK libraries share a common API for authn and authzr …r }r (hDiffering component implementations pass integration testing hB}r (hD]hE]hF]hG]hI]uh=j h7]r h{)r! }r" (hh?h@hhB}r$ (hD]hE]hF]hG]hI]uhKM§h7]r% hUX<Differing component implementations pass integration testingr& …r' }r( (h Uindirect_targetsr? ]r@ UsettingsrA (cdocutils.frontend Values rB orC }rD (Ufootnote_backlinksrE KUrecord_dependenciesrF NU rfc_base_urlrG Uhttps://tools.ietf.org/html/rH U tracebackrI ˆUpep_referencesrJ NUstrip_commentsrK NU toc_backlinksrL h…U language_coderM UenrN U datestamprO NU report_levelrP KU _destinationrQ NU halt_levelrR KU strip_classesrS NhRNUerror_encoding_error_handlerrT UbackslashreplacerU UdebugrV NUembed_stylesheetrW ‰Uoutput_encoding_error_handlerrX UstrictrY U sectnum_xformrZ KUdump_transformsr[ NU docinfo_xformr\ KUwarning_streamr] NUpep_file_url_templater^ Upep-%04dr_ Uexit_status_levelr` KUconfigra NUstrict_visitorrb NUcloak_email_addressesrc ˆUtrim_footnote_reference_spacerd ‰Uenvre NUdump_pseudo_xmlrf NUexpose_internalsrg NUsectsubtitle_xformrh ‰U source_linkri NUrfc_referencesrj NUoutput_encodingrk Uutf-8rl U source_urlrm NUinput_encodingrn U utf-8-sigro U_disable_configrp NU id_prefixrq UU tab_widthrr KUerror_encodingrs UUTF-8rt U_sourceru h?Ugettext_compactrv ˆU generatorrw NUdump_internalsrx NU smart_quotesry ‰U pep_base_urlrz U https://www.python.org/dev/peps/r{ Usyntax_highlightr| Ulongr} Uinput_encoding_error_handlerr~ jY Uauto_id_prefixr Uidr€ Udoctitle_xformr ‰Ustrip_elements_with_classesr‚ NU _config_filesrƒ ]Ufile_insertion_enabledr„ ˆU raw_enabledr… KU dump_settingsr† NubUsymbol_footnote_startr‡ KUidsrˆ }r‰ (h'h:h.jbh+j» h6jÖ h5jih)jh,j»h(jh%j9 h3jþh-j h&jU h4jvh$jM h2j„h/j„h*j“ h0j±h1jåh#jÿuUsubstitution_namesrŠ }r‹ h@hLhB}rŒ (hD]hG]hF]Usourceh?hE]hI]uU footnotesr ]rŽ Urefidsr }r ub.