The Credential Delegation Service (CDS) allows a user/service (delegator) to delegate their credential to other users/services (delegatee). The CDS provides a mechanism for users to manage the credentials they have delegated.
Searching for Delegated Credentials
The GAARDS UI provides users a mechanism for monitoring and managing credentials that they have delegated. Users can search for credentials they delegated using the following search criteria:
Search Criteria
Description
Delegation Identifier
The unique identifier assigned to the delegated credential by the CDS.
Expiration Status
The expiration status of the delegated credential: (1) Valid or (2) Expired
Delegation Status
The status of the delegated credential:
Pending - the delegated credential has not been approved
Approved - the delegated credential is approved and active
Suspended - access to the delegated credential has been suspended.
To search for delegated credentials using the GAARDS UI, please complete the following steps:
From the top menu bar select MyAccount, then select My Delegated Credentials. This will bring up a window for managing your delegated credentials.
From the Delegation Service drop down select the Credential Delegation Service you wish to manage your credentials on.
Specify your desired search criteria.
Click the Search button.
When the search has completed the delegated credentials meeting the specified search criteria will be listed in the table below the search button.
My Delegated Credentials
Viewing a Delegated Credential
To view the details of an individual delegated credential, perform a search directed above, select the credential you wish to view and click the View button. This will launch a window containing the details for the delegate credential you selected. The window contains three tabs: (1) General Information, (2) Delegation Policy, (3) Certificate Chain, (4) Auditing. We discuss the information contained in each tab below.
General Information
The General Information tab contains attributes identifying the delegated credential. These attributes are listed in the table below:
Attribute
Description
Grid Identity
The identity of the party who owns the credential.
Delegation Identifier
A unique identifier assigned to the delegated credential by the CDS.
Initiated On
The date that the delegated credential was requested.
Approved On
The date that the delegated credential was approved.
Expires On
The date that the delegated credential expires.
Issued Credential Lifetime
The amount of time that credentials issued by the CDS to third parties will be valid for.
Issued Credential Path Length
A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
Delegation Status
The status of the delegated credential: Pending, Approved, or Suspended.
The CDS allows users to suspend and re-instate access to their delegated credentials. To update the status of a delegated credential, modify the status and click the Update Status button.
Delegation Policy
The Delegation Policy tab specifies which delegation policy was chosen and the details of that delegation policy. The delegation policy cannot be updated once the credential has been delegated. Viewing the delegation policy provides insight to administrators on who can access their delegated credential.
Certificate Chain
The Certificate Chain tab contains the certificate chain of the delegated credential. You can view an individual certificate in the chain by select the certificate and clicking the View Certificate button.
Auditing
For security purposes and to give users insight on the credentials they delegated, the CDS maintains a list of auditing information for each delegated credential. The following is a list of auditing information maintained for each delegated credential:
Audit Criteria
Description
Delegation Initiation
Documents when the delegation was initiated.
Delegation Approval
Documents when the delegation was approved.
Delegation Status Update
Documents when and by whom that status of a delegated credential was changed.
Credential Issued
Documents when and to who a delegated credential was issued.
Access Denied to Credential
Documents when access to a delegated credential was denied.
The GAARDS UI allows users to search the auditing information for their delegated credential based the following search criteria:
Criteria
Description
Reporting Party
The identity of the party that performed or reported the action.
Audit Type
The type of auditing information, please consult the table above for different types.
Start Date
The start of a date/time range of when the even occurred.
End Date
The end of a date/time range of when the even occurred.
Message
Search the content of the Audit Message.
Using the GAARDS UI, users can search the auditing information by completing the following steps:
Select the Audit tab.
Enter the desired search criteria, please consult the table above. If no search criteria is specified all audit records for the user will be returned.
Click the "Search" button.
When the search has completed, the audit records meeting your search criteria will be displayed in the table below the Search button. To view the complete details of a specific audit record, select that record in the table and click the View button. This will launch a window containing the complete details of the audit record you selected.
Administration
