| 70 | | The mapping to local credentials is accomplished by a |
| | 70 | The mapping to local credentials is accomplished by a map file that maps an ABAC credential to a local data tuple. The encoding above would be: |
| | 71 | |
| | 72 | {{{ |
| | 73 | ac_fedid.project_proj1_user_user1 -> (DETER, faber, faber) |
| | 74 | }}} |
| | 75 | |
| | 76 | The tuple has the same format as the non-ABAC [FeddDatabases#AccessComponentAccessDB access control database] for that kind of controller. |
| | 77 | |
| | 78 | == ABAC Logic: RT0 vs. RT1 == |
| | 79 | |
| | 80 | ABAC can support several underlying logics. The current logic, RT0, implemented by [http://abac.deterlab.net libabac] represents attributes as simple strings. This is why encoding a project takes the form {{{project_}}}''name''. |
| | 81 | |
| | 82 | RT1 allows for parameterized attributes, that is an attribute is a string and 0 or more typed parameters. Those attributes would take the form of {{{project(}}}''name''{{{)}}}, and would allow some more sophisticated deduction rules. While the RT0 vs. RT1 distinction is only a convenience for the encoding of three-names, we intend to pursue implementing the more powerful logic. |
| | 83 | |
| | 84 | |
