CaGrid provides support for CSM-based authorization. To decide if CSM-based authorization is appropriate for the needs of a particular caGrid service, you should understand the CSM Authorization Model.
Here are the different types of support that caGrid provides for CSM:
- CSM can be used to authorize access to an entire service or to a particular method. You can use Introduce to configure caGrid services to use this coarse-grained authorization.
- CSM can be used to authorize access to individual objects or records using the CQL_CSM library. This type of security is called instance-level authorization. It is described in more detail at Overview of CQL_CSM library
- There is a CSM Service and companion GAARDS-based UI that can be used to administer CSM-based policies and to integrate CSM with gridGrouper user groups. This is described in more detail in the Overview of CSM Service and GAARDS client.
The caGrid components that provide this support for CSM are compatible with software components provided by the CSM project (CSM-API and UPT). However, there are disadvantages to using these software components that were not specifically designed for use with caGrid.
Software components that are built specifically for caGrid have some significant advantages. They are easier to integrate and provide more secure instance-level security. We recommend using them with caGrid services instead of CAM-API and UPT. This is discussed in more detail at Disadvantages of using CSM-API or UPT with caGrid services. The recommended architectural approaches for combining CSM security with caGrid services are described in the Architecture Guide.