Access Keys:
Skip to content (Access Key - 0)

CDS

Managing Delegated Credentials

[ CDS: Administrators Guide | Design | Developers Guide | Users Guide | caGrid: Documentation Guides ]

Overview

The Credential Delegation Service (CDS) allows a user/service (delegator) to delegate their credential to other user/services (delegatee). The CDS provides a mechanism for administrators to view and manage all the delegated credentials.  In this guide we will provide documentation on managing delegated credentials.

Searching for Delegated Credentials

The GAARDS UI provides administrators a mechanism for monitoring and managing credentials that have been delegated through the CDS.   Administrators can search for delegated credentials using the following search criteria:

Search Criteria Description
Grid Identity The Grid Identity of the user that the delegated credential belongs to.
Delegation Identifier
The unique identifier assigned to the delegated credential by the CDS.
Expiration Status
The expiration status of the delegated credential: (1) Valid or (2) Expired
Delegation Status
The status of the delegated credential:
  • Pending - the delegated credential has not been approved
  • Approved - the delegated credential is approved and active
  • Suspended - access to the delegated credential has been suspended.

To search for delegated credentials using the GAARDS UI, please complete the following steps:

  1. Launch the GAARDS UI.
  2. Login as a CDS administrator.
  3. From the top menu bar select Account Management, then select Delegation Management, then select Manage Delegated Credentials. This will bring up a window for managing delegated credentials.
  4. From the Delegation Service drop down select the Credential Delegation Service you wish to manage your credentials on.
  5. From the Credential drop down select your Grid credential.
  6. Specify your desired search criteria.
  7. Click the Search button.

When the search has completed the delegated credentials meeting the specified search criteria will be listed in the table below the search button.

Finding Delegated Credentials

Viewing a Delegated Credential

To view the details of an individual delegated credential, perform a search directed above, select the credential you wish to view and click the View button.  This will launch a window containing the details for the delegate credential you selected.  The window contains three tabs: (1) General Information, (2) Delegation Policy, (3) Certificate Chain, (4) Auditing. We discuss the information contained in each tab below.

General Information

The General Information tab contains attributes identifying the delegated credential.   These attributes are listed in the table below:

Attribute Description
Grid Identity The identity of the party who owns the credential.
Delegation Identifier A unique identifier assigned to the delegated credential by the CDS.
Initiated On The date that the delegated credential was requested.
Approved On The date that the delegated credential was approved.
Expires On The date that the delegated credential expires.
Issued Credential Lifetime The amount of time that credentials issued by the CDS to third parties will be valid for.
Issued Credential Path Length A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
Delegation Status The status of the delegated credential: Pending, Approved, or Suspended.

The CDS allows administrators to suspend and re-instate access to delegated credentials. To update the status of a delegated credential, modify the status and click the Update Status button.

Delegation Policy

The Delegation Policy tab specifies which delegation policy was chosen and the details of that delegation policy.  The delegation policy cannot be updated once the credential has been delegated.  Viewing the delegation policy provides insight to administrators  on who can access the delegated credential.

Certificate Chain

The Certificate Chain tab contains the certificate chain of the delegated credential.  You can view an individual certificate in the chain by select the certificate and clicking the View Certificate button.

Auditing

For security purposes and to give administrators insight on a delegated credential, the CDS maintains a list of auditing information for each delegated credential.   The following is a list of auditing information maintained for each delegated credential:

Audit Criteria
Description
Delegation Initiation Documents when the delegation was initiated.
Delegation Approval Documents when the delegation was approved.
Delegation Status Update Documents when and by whom that status of a delegated credential was changed.
Credential Issued Documents when and to who a delegated credential was issued.
Access Denied to Credential Documents when access to a delegated credential was denied.

The GAARDS UI allows CDS administrators to search the auditing information for a delegated credential based the following search criteria:

Criteria Description
Reporting Party The identity of the party that performed or reported the action.
Audit Type
The type of auditing information, please consult the table above for different types.
Start Date
The start of a date/time range of when the even occurred.
End Date
The end of a date/time range of when the even occurred.
Message
Search the content of the Audit Message.

Using the GAARDS UI, administrators can search the auditing information by completing the following steps:

  1. Select the Audit tab.
  2. Enter the desired search criteria, please consult the table above.  If no search criteria is specified all audit records for the user will be returned.
  3. Click the "Search" button.

When the search has completed, the audit records meeting your search criteria will be displayed in the table below the Search button.  To view the complete details of a specific audit record, select that record in the table and click the View button.  This will launch a window containing the complete details of the audit record you selected.

Delegated Credential

Delegation Policy

Certificate Chain

Auditing

Audit Record

Removing a Delegated Credential

The CDS allows administrators to remove delegated credentials, to remove a delegated credential using the GAARDS UI complete the following steps:

  1. Launch the GAARDS UI.
  2. Login as a CDS administrator.
  3. From the top menu bar select Account Management, then select Delegation Management, then select Manage Delegated Credentials. This will bring up a window for managing delegated credentials.
  4. From the Delegation Service drop down select the Credential Delegation Service you wish to manage your credentials on.
  5. From the Credential drop down select your Grid credential.
  6. Specify your desired search criteria.
  7. Click the Search button, this will list the delegated credentials meeting you search criteria in the table below the search button.
  8. Select the delegated credential you wish to remove.
  9. Click the Delete button, this will remove the selected delegated credential.
Last edited by
Sarah Honacki (854 days ago)
Adaptavist Theme Builder Powered by Atlassian Confluence