Authorisation and identity mapping services for the Open Science Grid

An attribute-based authorisation infrastructure developed for the Open Science Grid (OSG) is presented. The infrastructure integrates existing identity-mapping and group-membership services using concepts prototyped in the PRIMA system. Authorisation scenarios for requests to compute and data resources are detailed. A new SAML obligated authorisation decision statement is introduced that attaches an XACML obligation to the authorisation decision. The use of obligations enables site-centralised, service-independent policy management. Authorisation decisions are enforced via a Workspace Service that creates constrained execution environments configured in accordance with the obligations and other attribute-based information. Finally, an experimental PRIMA authorisation service that extends and simplifies the infrastructure is described.