€cdocutils.nodes document q)q}q(U nametypesq}q(X xacml 2.0qNX simplified policy language (spl)qNX xacml 1.0qNXsimplifiedpolicylanguageq ˆX*overview of authorization policy languagesq NX eml-accessq NX xacml 3.0q NuUsubstitution_defsq }qUparse_messagesq]qUcurrent_sourceqNU decorationqNUautofootnote_startqKUnameidsq}q(hU xacml-2-0qhUsimplified-policy-language-splqhU xacml-1-0qh Usimplifiedpolicylanguageqh U*overview-of-authorization-policy-languagesqh U eml-accessqh U xacml-3-0quUchildrenq]qcdocutils.nodes section q)q }q!(U rawsourceq"UUparentq#hUsourceq$Xv/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/Authorization-technologies.txtq%Utagnameq&Usectionq'U attributesq(}q)(Udupnamesq*]Uclassesq+]Ubackrefsq,]Uidsq-]q.haUnamesq/]q0h auUlineq1KUdocumentq2hh]q3(cdocutils.nodes title q4)q5}q6(h"X*Overview of Authorization Policy Languagesq7h#h h$h%h&Utitleq8h(}q9(h*]h+]h,]h-]h/]uh1Kh2hh]q:cdocutils.nodes Text q;X*Overview of Authorization Policy Languagesq<…q=}q>(h"h7h#h5ubaubcdocutils.nodes field_list q?)q@}qA(h"Uh#h h$h%h&U field_listqBh(}qC(h*]h+]h,]h-]h/]uh1Kh2hh]qD(cdocutils.nodes field qE)qF}qG(h"Uh#h@h$h%h&UfieldqHh(}qI(h*]h+]h,]h-]h/]uh1Kh2hh]qJ(cdocutils.nodes field_name qK)qL}qM(h"XAuthorqNh#hFh$h%h&U field_nameqOh(}qP(h*]h+]h,]h-]h/]uh1Kh]qQh;XAuthorqR…qS}qT(h"hNh#hLubaubcdocutils.nodes field_body qU)qV}qW(h"X Matt JonesqXh(}qY(h*]h+]h,]h-]h/]uh#hFh]qZcdocutils.nodes paragraph q[)q\}q](h"hXh#hVh$h%h&U paragraphq^h(}q_(h*]h+]h,]h-]h/]uh1Kh]q`h;X Matt Jonesqa…qb}qc(h"hXh#h\ubaubah&U field_bodyqdubeubhE)qe}qf(h"Uh#h@h$h%h&hHh(}qg(h*]h+]h,]h-]h/]uh1Kh2hh]qh(hK)qi}qj(h"XStatusqkh#heh$h%h&hOh(}ql(h*]h+]h,]h-]h/]uh1Kh]qmh;XStatusqn…qo}qp(h"hkh#hiubaubhU)qq}qr(h"X1Incomplete Draft, Work in Progress being Edited h(}qs(h*]h+]h,]h-]h/]uh#heh]qth[)qu}qv(h"X/Incomplete Draft, Work in Progress being Editedqwh#hqh$h%h&h^h(}qx(h*]h+]h,]h-]h/]uh1Kh]qyh;X/Incomplete Draft, Work in Progress being Editedqz…q{}q|(h"hwh#huubaubah&hdubeubeubh[)q}}q~(h"X¨This document provides an overview of authorization technologies that have been considered as part of the design of the DataONE authorization and access control system.qh#h h$h%h&h^h(}q€(h*]h+]h,]h-]h/]uh1Kh2hh]qh;X¨This document provides an overview of authorization technologies that have been considered as part of the design of the DataONE authorization and access control system.q‚…qƒ}q„(h"hh#h}ubaubh[)q…}q†(h"XˆSeveral open technologies can be used to express the policies for describing access control rules for resources and services in DataONE.q‡h#h h$h%h&h^h(}qˆ(h*]h+]h,]h-]h/]uh1K h2hh]q‰h;XˆSeveral open technologies can be used to express the policies for describing access control rules for resources and services in DataONE.qŠ…q‹}qŒ(h"h‡h#h…ubaubh)q}qŽ(h"Uh#h h$h%h&h'h(}q(h*]h+]h,]h-]qhah/]q‘h auh1Kh2hh]q’(h4)q“}q”(h"X eml-accessq•h#hh$h%h&h8h(}q–(h*]h+]h,]h-]h/]uh1Kh2hh]q—h;X eml-accessq˜…q™}qš(h"h•h#h“ubaubh[)q›}qœ(h"XãEcological Metadata Language (EML) is in common use in the ecological and environmental monitoring community, and includes a simple module (eml-access.xsd) for describing access control policies for data resources. It allows both additive and subtractive rules, which allows one to either build up a set of allowed permissions and then subtract a few (e.g., all of the members of group 'data-managers' except 'john), or to deny all of the members of a group and then add a few. After years of experience using EML within the KNB network, it has become clear that this ability to modify the ruleset using different approaches for combining the rules is unnecessary to express the typical rules needed in the stakeholder community. The complexity also makes it more difficult for users to understand the implications of the access rules that they write, and that even with use of a GUI, many users compose access expressions that do not capture their intent. Here is a simple eml-access block:qh#hh$h%h&h^h(}qž(h*]h+]h,]h-]h/]uh1Kh2hh]qŸh;XãEcological Metadata Language (EML) is in common use in the ecological and environmental monitoring community, and includes a simple module (eml-access.xsd) for describing access control policies for data resources. It allows both additive and subtractive rules, which allows one to either build up a set of allowed permissions and then subtract a few (e.g., all of the members of group 'data-managers' except 'john), or to deny all of the members of a group and then add a few. After years of experience using EML within the KNB network, it has become clear that this ability to modify the ruleset using different approaches for combining the rules is unnecessary to express the typical rules needed in the stakeholder community. The complexity also makes it more difficult for users to understand the implications of the access rules that they write, and that even with use of a GUI, many users compose access expressions that do not capture their intent. Here is a simple eml-access block:q …q¡}q¢(h"hh#h›ubaubcdocutils.nodes literal_block q£)q¤}q¥(h"Xö uid=alice,o=NCEAS,dc=ecoinformatics,dc=org read write h#hh$h%h&U literal_blockq¦h(}q§(Ulinenosq¨‰Ulanguageq©cdocutils.nodes reprunicode qªXxmlq«…q¬}q­bh*]U xml:spaceq®Upreserveq¯h-]h,]UsourceXn/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/eml-access-example.xmlUhighlight_argsq°}q±U linenostartq²Ksh+]h/]uh1K h2hh]q³h;Xö uid=alice,o=NCEAS,dc=ecoinformatics,dc=org read write q´…qµ}q¶(h"Uh#h¤ubaubh[)q·}q¸(h"XäOne of the shortcominings of eml-access is that it assumes that the linkage to a particular resource is expressed elsewhere (typically the access element is embedded in a broader EML document, thereby implicitly expressing which resources it applies to), and so it contains no mechanism for referencing the resource that is to be controlled. Experience with using eml-access in EML documents indicates that this mechanism is cumbersome and causes inadvertant creation of multiple versions of objects just to accomplish an access rule policy change. This is part of the motivation to moving access policies to SystemMetadata in DataONE (the other reason being that many metadata standards do not include an access policy descriptor at all).q¹h#hh$h%h&h^h(}qº(h*]h+]h,]h-]h/]uh1K#h2hh]q»h;XäOne of the shortcominings of eml-access is that it assumes that the linkage to a particular resource is expressed elsewhere (typically the access element is embedded in a broader EML document, thereby implicitly expressing which resources it applies to), and so it contains no mechanism for referencing the resource that is to be controlled. Experience with using eml-access in EML documents indicates that this mechanism is cumbersome and causes inadvertant creation of multiple versions of objects just to accomplish an access rule policy change. This is part of the motivation to moving access policies to SystemMetadata in DataONE (the other reason being that many metadata standards do not include an access policy descriptor at all).q¼…q½}q¾(h"h¹h#h·ubaubeubh)q¿}qÀ(h"Uh#h h$h%h&h'h(}qÁ(h*]h+]h,]h-]qÂhah/]qÃh auh1K/h2hh]qÄ(h4)qÅ}qÆ(h"X XACML 3.0qÇh#h¿h$h%h&h8h(}qÈ(h*]h+]h,]h-]h/]uh1K/h2hh]qÉh;X XACML 3.0qÊ…qË}qÌ(h"hÇh#hÅubaubh[)qÍ}qÎ(h"XXACML 3 replaces version 2.qÏh#h¿h$h%h&h^h(}qÐ(h*]h+]h,]h-]h/]uh1K0h2hh]qÑh;XXACML 3 replaces version 2.qÒ…qÓ}qÔ(h"hÏh#hÍubaubcdocutils.nodes note qÕ)qÖ}q×(h"XbNeed to outline the approach to access control in version 3 and contrast it with versions 2 and 1.h#h¿h$h%h&UnoteqØh(}qÙ(h*]h+]h,]h-]h/]uh1Nh2hh]qÚh[)qÛ}qÜ(h"XbNeed to outline the approach to access control in version 3 and contrast it with versions 2 and 1.qÝh#hÖh$h%h&h^h(}qÞ(h*]h+]h,]h-]h/]uh1K3h]qßh;XbNeed to outline the approach to access control in version 3 and contrast it with versions 2 and 1.qà…qá}qâ(h"hÝh#hÛubaubaubeubh)qã}qä(h"Uh#h h$h%h&h'h(}qå(h*]h+]h,]h-]qæhah/]qçhauh1K7h2hh]qè(h4)qé}qê(h"X XACML 2.0qëh#hãh$h%h&h8h(}qì(h*]h+]h,]h-]h/]uh1K7h2hh]qíh;X XACML 2.0qî…qï}qð(h"hëh#héubaubh[)qñ}qò(h"XXACML 3 replaces version 1.qóh#hãh$h%h&h^h(}qô(h*]h+]h,]h-]h/]uh1K8h2hh]qõh;XXACML 3 replaces version 1.qö…q÷}qø(h"hóh#hñubaubhÕ)qù}qú(h"X[Need to outline the approach to access control in version 2 and contrast it with version 1.h#hãh$h%h&hØh(}qû(h*]h+]h,]h-]h/]uh1Nh2hh]qüh[)qý}qþ(h"X[Need to outline the approach to access control in version 2 and contrast it with version 1.qÿh#hùh$h%h&h^h(}r(h*]h+]h,]h-]h/]uh1K;h]rh;X[Need to outline the approach to access control in version 2 and contrast it with version 1.r…r}r(h"hÿh#hýubaubaubeubh)r}r(h"Uh#h h$h%h&h'h(}r(h*]h+]h,]h-]rhah/]r hauh1K?h2hh]r (h4)r }r (h"X XACML 1.0r h#jh$h%h&h8h(}r(h*]h+]h,]h-]h/]uh1K?h2hh]rh;X XACML 1.0r…r}r(h"j h#j ubaubh[)r}r(h"X)The Extensible Access Control Markup Language (XACML) is an OASIS standard for representing access control policies for resources and services. XACML specifically includes support for federated systems in an open Internet environment, is an open standard, and is being widely adopted by various software systems. The advantages of XACML lie in its completeness and that it is an industry standard. The disadvantages for DataONE lie in its complexity, which makes it difficult to author, understand, and consume these documents because of the large number of permutations which it could support. As an example, below is the same access rule that is expressed in eml-access expressed instead in XACML. Note that there are multiple qualified mechanisms and types for matching values (e.g., string-equals), which is flexible but requires more implementation complexity than is specified in the DataONE authorization use cases. With XACML, one could express conditions that include complex functions and comparisons of arbitrary subject attributes (beyond identity).rh#jh$h%h&h^h(}r(h*]h+]h,]h-]h/]uh1K@h2hh]rh;X)The Extensible Access Control Markup Language (XACML) is an OASIS standard for representing access control policies for resources and services. XACML specifically includes support for federated systems in an open Internet environment, is an open standard, and is being widely adopted by various software systems. The advantages of XACML lie in its completeness and that it is an industry standard. The disadvantages for DataONE lie in its complexity, which makes it difficult to author, understand, and consume these documents because of the large number of permutations which it could support. As an example, below is the same access rule that is expressed in eml-access expressed instead in XACML. Note that there are multiple qualified mechanisms and types for matching values (e.g., string-equals), which is flexible but requires more implementation complexity than is specified in the DataONE authorization use cases. With XACML, one could express conditions that include complex functions and comparisons of arbitrary subject attributes (beyond identity).r…r}r(h"jh#jubaubh£)r}r(h"XO Example policy that grants read and write access to a data object. Alice can read and write data object with id doi:10.5432/example.1 uid=alice,o=NCEAS,dc=ecoinformatics,dc=org doi:10.0000/example_data_identifier read write h#jh$h%h&h¦h(}r(h¨‰h©hªXxmlr…r}r bh*]h®h¯h-]h,]UsourceXm/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/xacml-1.0-example.xmlh°}r!h²Ksh+]h/]uh1KOh2hh]r"h;XO Example policy that grants read and write access to a data object. Alice can read and write data object with id doi:10.5432/example.1 uid=alice,o=NCEAS,dc=ecoinformatics,dc=org doi:10.0000/example_data_identifier read write r#…r$}r%(h"Uh#jubaubh[)r&}r'(h"XQThe XACML 'Permit' Effect is equivalent to the eml-access 'allow' rule, the XACML 'Deny' Effect is equivalent to the EML 'deny' element, the XACML 'Subject' is equivalent to the EML 'principal' element, and the XACML 'Action' element is equivalent to the EML 'permission' element. The XACML constructs have considerably more flexibility in what is expressed that is accomplished via the indirection in the model, but this flexibility and expressive power come at a significant cost in implementation time and software complexity that would need to be borne by all Member Node implementations.r(h#jh$h%h&h^h(}r)(h*]h+]h,]h-]h/]uh1KRh2hh]r*h;XQThe XACML 'Permit' Effect is equivalent to the eml-access 'allow' rule, the XACML 'Deny' Effect is equivalent to the EML 'deny' element, the XACML 'Subject' is equivalent to the EML 'principal' element, and the XACML 'Action' element is equivalent to the EML 'permission' element. The XACML constructs have considerably more flexibility in what is expressed that is accomplished via the indirection in the model, but this flexibility and expressive power come at a significant cost in implementation time and software complexity that would need to be borne by all Member Node implementations.r+…r,}r-(h"j(h#j&ubaubeubh)r.}r/(h"Uh#h h$h%h&h'h(}r0(h*]h+]h,]h-]r1hah/]r2hauh1K\h2hh]r3(h4)r4}r5(h"X Simplified Policy Language (SPL)r6h#j.h$h%h&h8h(}r7(h*]h+]h,]h-]h/]uh1K\h2hh]r8h;X Simplified Policy Language (SPL)r9…r:}r;(h"j6h#j4ubaubh[)r<}r=(h"X—A simplified syntax that acts as a front-end to XACML policies. See the `SimplifiedPolicyLanguage`_ web site for examples of use in the grid community.h#j.h$h%h&h^h(}r>(h*]h+]h,]h-]h/]uh1K]h2hh]r?(h;XHA simplified syntax that acts as a front-end to XACML policies. See the r@…rA}rB(h"XHA simplified syntax that acts as a front-end to XACML policies. See the h#j<ubcdocutils.nodes reference rC)rD}rE(h"X`SimplifiedPolicyLanguage`_UresolvedrFKh#j<h&U referencerGh(}rH(UnameXSimplifiedPolicyLanguageUrefurirIXBhttps://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguagerJh-]h,]h*]h+]h/]uh]rKh;XSimplifiedPolicyLanguagerL…rM}rN(h"Uh#jDubaubh;X4 web site for examples of use in the grid community.rO…rP}rQ(h"X4 web site for examples of use in the grid community.h#j<ubeubcdocutils.nodes target rR)rS}rT(h"X`.. _SimplifiedPolicyLanguage: https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguageU referencedrUKh#j.h$h%h&UtargetrVh(}rW(jIjJh-]rXhah,]h*]h+]h/]rYh auh1K`h2hh]ubeubeubah"UU transformerrZNU footnote_refsr[}r\Urefnamesr]}r^Xsimplifiedpolicylanguage]r_jDasUsymbol_footnotesr`]raUautofootnote_refsrb]rcUsymbol_footnote_refsrd]reU citationsrf]rgh2hU current_linerhNUtransform_messagesri]rjUreporterrkNUid_startrlKU autofootnotesrm]rnU citation_refsro}rpUindirect_targetsrq]rrUsettingsrs(cdocutils.frontend Values rtoru}rv(Ufootnote_backlinksrwKUrecord_dependenciesrxNU rfc_base_urlryUhttps://tools.ietf.org/html/rzU tracebackr{ˆUpep_referencesr|NUstrip_commentsr}NU toc_backlinksr~UentryrU language_coder€UenrU datestampr‚NU report_levelrƒKU _destinationr„NU halt_levelr…KU strip_classesr†Nh8NUerror_encoding_error_handlerr‡UbackslashreplacerˆUdebugr‰NUembed_stylesheetrŠ‰Uoutput_encoding_error_handlerr‹UstrictrŒU sectnum_xformrKUdump_transformsrŽNU docinfo_xformrKUwarning_streamrNUpep_file_url_templater‘Upep-%04dr’Uexit_status_levelr“KUconfigr”NUstrict_visitorr•NUcloak_email_addressesr–ˆUtrim_footnote_reference_spacer—‰Uenvr˜NUdump_pseudo_xmlr™NUexpose_internalsršNUsectsubtitle_xformr›‰U source_linkrœNUrfc_referencesrNUoutput_encodingržUutf-8rŸU source_urlr NUinput_encodingr¡U utf-8-sigr¢U_disable_configr£NU id_prefixr¤UU tab_widthr¥KUerror_encodingr¦UUTF-8r§U_sourcer¨h%Ugettext_compactr©ˆU generatorrªNUdump_internalsr«NU smart_quotesr¬‰U pep_base_urlr­U https://www.python.org/dev/peps/r®Usyntax_highlightr¯Ulongr°Uinput_encoding_error_handlerr±jŒUauto_id_prefixr²Uidr³Udoctitle_xformr´‰Ustrip_elements_with_classesrµNU _config_filesr¶]Ufile_insertion_enabledr·ˆU raw_enabledr¸KU dump_settingsr¹NubUsymbol_footnote_startrºKUidsr»}r¼(hh¿hj.hhhh hjhhãhjSuUsubstitution_namesr½}r¾h&h2h(}r¿(h*]h-]h,]Usourceh%h+]h/]uU footnotesrÀ]rÁUrefidsrÂ}rÃub.