Published March 11, 2019 | Version v1
Technical note Open

Implementing scalable and consistent authorisation across multi-SP environments (AARC-I047)


  • 1. Karlsruhe Institute of Technology


The purpose of this document is to provide information to infrastructures for efficiently implementing access restrictions that are required by the individual communities and e-Infrastructures. The suggestions are given within the setting of the AARC BPA. In this scenario, user communities make use of an SP-IdP-Proxy (including User Attribute services) in order to manage access to resources (end services). The suggestions given address two different topics. One is about providing an interoperable schema to use for expressing authorisation information. This is an extension of the recommendations provided in AARC-G002 - Expressing group membership and role information and AARC-G027 - Specification for expressing resource capabilities. The other topic concerns the organisational architecture for conveying authorisation information. All information within this latter area are derived from the more detailed Deliverable DJRA1.2 on authorisation models.



Additional details


AARC2 – Authentication and Authorisation For Research and Collaboration 730941
European Commission