Service, method and input parameter authorization using GAARDS

At the Real-time Outbreak and Disease Surveillance Laboratory we've completed our first sprint to demonstrate input parameter authorization using the GAARDS infrastructure. In lieu of the security requirements of our Pennsylvania Ohio Biosurveillance Grid (PA-OH BiG) project when sharing notifiable disease data between health departments, we implemented input parameter authorization into our notifiable disease data grid application using Dorian, Grid Grouper and Introduce. This was motivated by our belief that it would be infeasible to create an additional service or service method (i.e., programming instead of configuring) every time a different set of valid input parameters for a different person/group were to be authorized.

GAARDS (i.e., Dorian and Grid Grouper) already provide authentication, service authorization and method level authorization but what we have done allows health departments to maintain extremely fine grained authorization using the same infrastructure. For example, we can now define a security group that is only allowed to make queries for data generated by bordering counties of a state. This group is defined by Grid Grouper and authentication is maintained using Dorian. Local mappings of user common names or groups to valid input parameters are maintained in the application using the RODS 6 data model.

We are really liking Dorian because local organizations need not maintain the credentials of foreign users if they have a trust relationship. Local nodes always know who (by common name) is accessing their services and the local nodes maintain local access control to their own data.

BTW: In the process of architecting this we spoke to the Justin Permar and the other caGrid folks over at Ohio State University who built Introduce. We thought we needed to modify the Introduce code but they were able to clearly explain why things are setup the way they are. Thanks to OSU.