Gabriele Garzoglio (FERMI NATIONAL ACCELERATOR LABORATORY)
Grids enable uniform access to resources by implementing standard interfaces to resource gateways. Gateways control access privileges to resources using user's identify and personal attributes, which are available through Grid credentials. Typically, Gateways implement access control by mapping Grid credentials to local privileges. In the Open Science Grid (OSG), privileges are granted on the basis of the user's membership to a Virtual Organization (VO). Currently, access privileges are determined solely by the individual sites that own the resources. While this guarantees full control on access rights to the sites, it makes VO privileges heterogeneous throughout the Grid and hardly fits with the Grid paradigm of uniform access to resources. In addition, there is no automated mechanism for a VO to define and publish privileges specific to the VO, such as the need for outbound network access from the resource. To address these challenges, we are developing the Scalable Virtual Organization Privileges Management Environment (SVOPME), which provides tools for VOs to define and publish desired privileges and assists sites to provide the appropriate access policies. At a site, SVOPME analyzes how access policies are defined for its resources. These policies are then compared with the ones published by the VO, so that Sites and VOs can verify policy compliance. Upon request, SVOPME can generate directives for site administrators on how the local access policies can be amended to achieve such compliance. This paper discusses what access policies are of interest to the OSG community and how SVOPME implements privilege management for the OSG.