Authorisation Pipelines

Le Moretti sculpture close up

The CADRE team are liaising with US colleagues working on a National Science Fund project (ImPACT – Infrastructure for Privacy-Assured CompuTations) on their approach to shared infrastructure development using a networked service architecture, a federated authorisation model and a mix of new technologies.  The ImPACT project partners are RENCI, UNC-Chapel Hill, Duke University, Indiana University and City of Durham.  

The ImPACT team have published on their authorisation infrastructure development work.  

“We define a system as federated when multiple services operated by different principals contributing to an authorization decision.  Data access in ImPACT involves multiple server instances to discover the data, establish credentials, and retrieve the data.  We refer to the set of servers involved as the authorization pipeline for a request. The ImPACT pipeline introduces Notary Services that interpret conditions for Data Usage Agreements (DUAs), collect approvals from Web users, and issue digitally signed attestations to witness those approvals.” 

J. S. Chase and I. Baldin, “Federated Authorization for Managed Data Sharing: Experiences from the ImPACT Project,” 2021 International Conference on Computer Communications and Networks (ICCCN), 2021, pp. 1-10, doi: 10.1109/ICCCN52240.2021.9522208.

“ImPACT creates a foundation to express real-world access policies rigorously, automate compliance checking for conditions of access, and generate a trail of authenticated assertions to support accountability for non-compliant use.  By adopting such technologies in practice and policy, institutions can improve efficiency and researcher productivity, protect the data, and enhance their capabilities to manage and oversee research involving sensitive datasets.” 

I. Baldin, J. Chase, J. Crabtree, T. Nechyba, L. Christopherson, M. Stealey, C. Kneifel, V. Orlikowski, R. Carter, E. Scott, A. Sone, D. Sizemore, “ImPACT: A networked service architecture for safe sharing of restricted data, Future Generation Computer Systems, 2022, Vol. 129, pp. 269-285, doi: 10.1016/j.future.2021.11.026 

As with CADRE, the ImPACT team are using CILogon and COmanage for identity assurance and group access management (using the Authentication and Authorisation for Research and Collaboration Blueprint Architecture).  CILogon works with a wide range of identity providers that deliver services to Australian universities including federated identity providers like Australian Access Federation (AAF), Google and ORCiD.  

In the CADRE project the AAF are taking the lead by setting up CILogon services so that identity assurance and group access management can be built into the sensitive data access request process in research collaborations.  User attributes provided through university credentials supplied by researchers via CILogon will be passed into the information exchange in the CADRE platform, assisting with access management administration and decision-support.  

The work that the ImPACT team have done to make access management administration easier is an acknowledgement that approval decisions and auditing are complex and critical features of authorisation pipelines in national research platforms that mediate researcher access to sensitive data.  

Image credit: Le Moretti sculpture close up Chris Waits cc-by 2.0