= ABAC access control for Fedd =

The [http://www.isso.sparta.com/research_projects/security_infrastructure/abac_overview.html ABAC] access control system, developed at Stanford and realized by a group in Trusted Information Systems that later moved to SPARTA, is a formal, flexible, scalable access control system based on formal derivation of user attributes, attested by other trusted users.  We have been [http://groups.geni.net/geni/wiki/TIEDABACModel planning] to integrate it into fedd for some time.  We have recently implemented ABAC in a [http://abac.deterlab/net portable library] and this implementation has been integrated into fedd.  Under our associated TIED project, we have completed a similar [http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_GENIAPIv1.2.pdf integration] with GENI's [http://trac.gpolab.bbn.com/gcf reference aggregate manager], part of their developing [http://groups.geni.net/geni/wiki/GeniApi GENI API].

This page describes the use of ABAC with fedd, concentrating on using the transition tools to create initial ABAC credential stores from which to run fedd.  In order to get the most from this page, you should be familiar with

 * [http://groups.geni.net/geni/wiki/TIEDABACModel The ABAC model] as it is used by DETER.
  * There is a [http://groups.geni.net/geni/wiki/TIEDABACDemo worked example] that can be helpful here
 * The existing [FeddDatabases fedd access databases]


== Storing Credentials ==

Users and servers (fedd instances) now both have credential stores to maintain.  When using ABAC credentials to enforce the same kinds of access control as [FeddAbout#GlobalIdentifiers:Three-levelNames three-names] neither users nor servers will see much change.  Credentials will be managed transparently.

By default a user will maintain a credential store in a directory named {{{.abac}}}