Policy Based Access Control in Dynamic Grid-based Collaborative Environment

This paper describes the design and development of a flexible, customer-driven, security infrastructure for Gridbased Collaborative Environments. The paper proposes further development of the access control model built around a service or resource provisioning agreement (e.g., an experiment or project) that is used as a basis for an instant access control policy definition and virtual association of users and resources. Workflow management technology is considered as a solution for dynamic security context management during the lifetime of an experiment. The paper analyses the required functionality and suggests extensions to the generic AAA Authorisation framework in order to support complex collaboration scenarios in dynamic virtualised environments. The paper provides implementation details on the use of XACML for fine-grained access control policy definition for complex resources and team-based role management, and SAML for secure credentials exchange. In addition, the paper discusses how the Virtual Organisations (VO) concept can be used for experiment-based dynamic security association management. The proposed technical solutions are intended to be compatible and interoperable with the current implementation of the Grid security middleware in the Globus Toolkit and gLite. The paper is based on experiences gained from major Grid-based and Gridoriented projects in collaborative applications and complex resource provisioning.