CRIC ・ Authentication & Authorization Aresh Vedaee CRIC ・ Authentication & Authorization

Authentication Sources (Role = List of permissions) MAPPING SCHEMA AUTHENTICATION Authentication Sources SSO CERN HR DB VOMS CRIC DB … Principals Users Groups (Group = Collection of individuals) Roles (Role = List of permissions) Site Admin Experiment Site Support Experiment Admin CRIC Admin

Authentication Sources (Role = List of permissions) MAPPING SCHEMA AUTHENTICATION AUTHORIZATION Authentication Sources SSO CERN HR DB VOMS CRIC DB … Principals Users Groups (Group = Collection of individuals) Roles (Role = List of permissions) Site Admin Experiment Site Support Experiment Admin CRIC Admin

Authentication sources (Role = List of permissions) MAPPING SCHEMA AUTHENTICATION AUTHORIZATION PERMISSIONS (Permission = Action + Entity) Authentication sources SSO CERN HR DB VOMS CRIC DB … Principals Users Groups (Group = Collection of individuals) Roles (Role = List of permissions) Site Admin Experiment Site Support Experiment Admin CRIC Admin Create Modify Delete Read Actions Object instances Object properties WEB UI / API Entities

Authentication Sources (Role = List of permissions) MAPPING SCHEMA AUTHENTICATION AUTHORIZATION PERMISSIONS (Permission = Action + Entity) Authentication Sources SSO CERN HR DB VOMS CRIC DB … Principals Users Groups (Group = Collection of individuals) Roles (Role = List of permissions) Site Admin Experiment Site Support Experiment Admin CRIC Admin Create Modify Delete Read Actions Object instances Object properties WEB UI / API Entities Restrictions

ROLES CORE Expert Experiment Expert Site A Site A Site B Site B Site C SEs CEs Site A SEs CEs Site A SEs CEs Site B SEs CEs Site B SEs CEs Site C

ROLES CORE Expert Experiment Expert Experiment Admin Site A Site A SEs CEs Site A SEs CEs Site A SEs CEs Site B SEs CEs Site B Experiment Admin + Restriction( VO = “CMS” ) SEs CEs Site C

ROLES CORE Expert Experiment Expert Experiment Admin SEs CEs Site A SEs CEs Site A SEs CEs Site B SEs CEs Site B Experiment Admin + Restriction( VO = “CMS” ) SEs CEs Site C Experiment Site Support + Restriction( VO = “CMS”, Site = “Site B” )

ROLES CORE Expert Experiment Expert Site Admin Experiment Admin SEs CEs Site A SEs CEs Site A Site Admin + Restriction( Site = “Site A” ) SEs CEs Site B SEs CEs Site B Experiment Admin + Restriction( VO = “CMS” ) SEs CEs Site C Experiment Site Support + Restriction( VO = “CMS”, Site = “Site B” )