[ogsa-d-wg] Security issues for data services

Mario Antonioletti mario at epcc.ed.ac.uk
Mon Jun 6 03:57:28 CDT 2005 

Hi,
   I have a couple of questions on the paragraph below:

> Access to data elements requires authorisation, possibly at the
> level of each individual element.  Depending on the data model, this
> level may be finer-grain than the level of the resource.  E.g. if
> the resource is a file system, the access control will be at the
> level of individual files.  Furthermore, in a database system, the
> access control will be at the level of individual tables and/or
> attributes; as such the access may depend on the content of a
> particular query.

In most instances is it not the case that the security model that
is to be observed will be predominantly inherited from the underlying
data resource. So in a unix file system the grid credentials of the
user might be mapped to a user and the access policies for that user
would be observed. A similar case would correspond to databases. So,
in most instances the security model of the underlying data resource is
observed - maybe that should be a basic principle.
 
The problem arises when objects/data is created by the service layer
which is then stored in the service layer (or the underlying data
resource). How do you associate a security policy with this data?
If I derive some data from the data resource and store it in memory
accessible through another service how do I bind a security policy
with that or if I derive data and want to have a different access
policy from the original data (or the default access privileges)
- how do I do that?

A similar issue arises with metadata which lives at the service
layer. Is it the case that in order to access that metadata you
must have the same credentials as would be required to access
the underlying data resource?

			Mario

+-----------------------------------------------------------------------+
|Mario Antonioletti:EPCC,JCMB,The King's Buildings,Edinburgh EH9 3JZ.   |
|Tel:0131 650 5141|mario at epcc.ed.ac.uk|http://www.epcc.ed.ac.uk/~mario/ |
+-----------------------------------------------------------------------+

More information about the ogsa-d-wg mailing list