Define entitlement syntax to allow account sponsors to control resource access
We need a syntax to communicate entitlements for accounts. This will primarily control sponsored guest accounts, however, it could be a general mechanism to communicate access across research computing system services.
A proposal is to use a URL like syntax for easy to read expressions. For example an entitlement syntax like:
uri://[service.]domain/[service|scope]/[action]
This allows an expression like the following that allows an account to use all of the services in our domain, potentially at a default authz level:
It could allow a more constrained entitlement for a specific service like:
https://gitlab.rc.uab.edu https://cheaha.rc.uab.edu https://cloud.rc.uab.edu
The service and scope could also come into play as way to associate membership in a specific group on a specific service:
https://gitlab.rc.uab.edu/group/lab-abc
These are just some ideas, but the above examples can lead to some ambiguous expressions.
It may be helpful to understand how other systems express entitlements so that we build on a more precise foundation.
Here are some examples of entitlements used in:
- Apple OSes
- AWS Entitlement Service
- NetIQ. These have a more XML flare that could be familiar to a SAML context.