SLCS Administrator Guide

This short guide introduces the access control system of the SLCS certificate service and describes the main functionalities of the SLCS administrator web interface.

Please contact the SWITCHgrid Team if you need an administrator access to the SLCS administrator web interface or have any question regarding the SLCS service.

Introduction

The access to the SLCS certificate service is protected by an attributes-based access control system. This means that the attributes of the user will be evaluated and compared with a set of access control rules. If a rule matches the attributes of the user, he will have access to the service.

Attributes-Based Access Control Rules

The attributes-based access control system uses rules to grant the access. A rule defines a list of attributes name-value, which must be matched by the attributes of the user.

Example of an Access Control Rule

This is an example of an attributes-based access control rule granting access to a particular ETH Zurich user, member of the ETH staff.

<AccessControlRule group="ETHZ">

            <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">

                1638746183469@ethz.ch

            </Attribute>

            <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">

                ethz.ch

            </Attribute>

            <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">

                staff

            </Attribute>

        </AccessControlRule>

In this example, only the user matching all three attributes defined in the rule will be accepted. As the rule contains the AAI UniqueID (urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID) of this user, only this particular user will get access to the SLCS service.

See the Annexe: Attribute Definitions for a complete list of attribute display name and SAML name.

Evaluation of the Access Control Rules

The attributes of theuser must match all the attributes defined in a rule. Therefore, each rule will be evaluated like an AND operation. The set of all access control rules is evaluated like an OR operation.

Notice:
If you want to add an access control rule granting access to all students or staff members of the ETH Zurich, you will have to create 2 separate rules. The first one for the ETH Zurich students and a second one for the ETH Zurich staff members.

Rule Group and Constraint

Each access control rule belongs to a particular group and each group can have an access control rule constraint defined. This rule constraint defines the mandatory attributes for each rule belonging to the group.

If an access control rule constraint is defined for a group, then all rules of this group must contain all the attributes name-value defined in the constraint.

Example of a Rule Constraint

<Group name="ETHZ">

            <AccessControlRuleConstraint>

                <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">

                    ethz.ch

                </Attribute>

            </AccessControlRuleConstraint>

        </Group>

This constraint asserts that the attribute Home Organization (urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization) must exist and must have the value ethz.ch for every access control rules of the group ETHZ.

Manage Access to the SLCS Service

As SLCS administrator you can use the SLCS administration web interface to manage your user's access control rules.

The SLCS Administration page shows you the list of access control groups you can administer and your own AAI attributes. You can always come back to this page by selecting Home in the navigation menu.

Access Control Groups

Each SLCS administrator is member of one or more groups. As each access control rule belong to a group, your group membership determines which access control rules you can manage.

List the Access Control Rules

You can list all the active access control rules you can manage by selecting List Access Rules in the navigation menu.

The SLCS Access Control Rules page lists all the active access control rules belonging to all the groups you can administer. Any active access control rule can be either edited with the Edit button or deleted with the Delete button.

Create a new Access Control Rule

You can also create a new access control rule by selecting New Access Rule in the navigation menu.

The New Access Control Rule page displays a form to create a new access control rule.

Set the Rule Group

First, you must assign a group to this new access control rule. To do this, select one of your group from the Group drop down list and confirm your choice with the Set Group button.

This operation will determine the group attributes constraint for this new rule, and display the rule mask with the constrained attributes already set (marked with *). The constrained attributes defined by a group rule constraint are mandatory and can not be modified or deleted.

Enable a Single User

You can now define the attributes needed to authorize a particular user. The best way to uniquely identify a single user is to use his AAI UniqueID or his Email attribute in the rule.

Every user can use the AAI Attributes Viewer at https://aai-viewer.switch.ch/aai to view all his AAI attributes. You can use this information to obtain the user AAI UniqueID or his Email attribute.

In this example, the user you want to allow have the attribute AAI UniqueID as 10101010@ethz.ch, and, as an ETH Zurich student, have the attribute Affiliation set to student.

Once you have defined all the attribute you wanted for the rule, click on Create Rule to commit your new access control rule.

Enable a Group of Users

There is also the possibility to enable a whole group of users, based on a set of attributes common to every users.

For example, you can allow all the ETH Zurich staff member to use the SLCS service, by defining a rule containing the attribute Affiliation as staff.

Notice:
Please contact the SWITCHgrid team to discuss this more general access control and the different attributes which can be used to achieve such a group definition.

Edit an existing Access Control Rule

To edit an existing access control rule, first select List Access Rules in the navigation menu to obtain the list of the rules you can manage, then click on the Edit button of the rule you want to edit.

The Edit Access Control Rule page displays the access control rule you want to edit.

Once you have modified, added or removed the attribute you wanted to edit, click on Save Rule to commit the modification.

Delete an Access Control Rule

To delete an existing access control rule, first select List Access Rules in the navigation menu to obtain the list of the rules you can manage, then click on the Delete button of the rule you want to delete.

Help and Contacts

If you have any questions about this guide please consult the SWITCHgrid web site at http://www.switch.ch/grid or send an email to the SWITCHgrid team at <grid@switch.ch>

Annexe: Attribute Definitions

Display Name	Attribute Name
AAI UniqueID	urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID
Lastname	urn:mace:dir:attribute-def:sn
Firstname	urn:mace:dir:attribute-def:givenName
Email	urn:mace:dir:attribute-def:mail
Affiliation	urn:mace:dir:attribute-def:eduPersonAffiliation
Home Organization	urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization
Home Organization Type	urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType

Each attribute have a Display Name, which is the human-readable name of the attribute name. The Attribute Name is the SAML name of the attribute as stored in the access control rules.

	Short Lived Credential Service A Service of SWITCH