Job-Centric Security Model for Open Collaborative Environment Yuri Demchenko Universiteit van Amsterdam demch@science.uva.nl Leon Gommans Universiteit van Amsterdam lgommans@science.uva.nl Cees de Laat Universiteit van Amsterdam delaat@science.uva.nl Bas Oudenaarde Universiteit van Amsterdam oudenaarde@science.uva.nl Andrew Tokmakoff Telematica Instituut Andrew.Tokmakoff@telin.nl Martin Snijders Telematica Instituut Martin.Snijders@telin.nl ABSTRACT This paper describes the design and development of a flexible, customer driven, security infrastructure for Open Collaborative Environments. The experiences were gained within the framework of the Collaboratory.nl project. The work is based on extended use of emerging Web Services and Grid security technologies, combined with concepts from the generic Authentication Authorization and Accounting (AAA) authorisation framework. Basic CNL use cases and functional security requirements are analysed to provide motivation for the proposed Job-centric security model. This model describes access control and user- and resource management. The proposed Job-centric approach uses a Job description as a semantic document that is created on the basis of the signed order (or business agreement). It contains all the information required to run the experiment and also to create/manage the virtual Job- based associations of users and resources. The proposed trust relations analysis explains the use of trust anchors in the Job-centric security model. In addition, the paper provides implementation details of using XACML and SAML for Authorisation assertions and messaging, based on the current CNL implementation. KEYWORDS: Open Collaborative Environment, Job- centric security model, authorisation framework, RBAC, SAML, XACML 1. INTRODUCTION Many modern research areas (e.g. the process industry) rely on advanced laboratory equipment, such as electron microscopes, mass spectrometers, equipment for surface analysis , and other analytical equipment. Effective use of this equipment during experiments and for production work requires complex infrastructure and the involvement of many specialists that may be distributed and span multiple organisations. Emerging Computer Grids and Web Services technologies provide a sound basis for extending Groupware, which has traditionally been used for collaborative applications to build a virtual collaborative environment. Such virtual laboratories offer the same possibilities as a traditional laboratory, however they also enable laboratory staff to utilise the equipment and expertise of third parties. Security services provide a reliable and secure operational environment that is capable of managing customers’ and providers’ resources. Protection of privacy and confidentiality is of particular importance when different parties share the same equipment. This paper presents the experience of designing and developing an open, flexible, customer-driven security infrastructure for open collaborative applications in the framework of the Collaboratory.nl 1 project (CNL). The work is largely based upon extended use of emerging Web Services and Computer Grid security technologies and the generic AAA authorisation framework [1, 2, 3, 4]. Collaborative applications require a sophisticated, multi-dimensional security infrastructure that manages secure operation of user applications between multiple administrative- and trust domains. Typical Open Collaborative Environment (OCE) use cases requires that the collaborative environment: • is dynamic since the environment can potentially change from one experiment to another, • may span multiple trust domains, • can handle different user identities and attributes/privileges that must comply with different policies (both experiment and task specific). 1 http://www.collaboratory.nl/