Distributed policy framework across multiple grid domains

A key feature of grid environment is the sharing of computing and storage: users operate on resources not directly owned by them. Often users working on the same research project are grouped in a virtual organization (VO) to use a common authorization policy on this resources. Many international experiments, however, use different Grid middleware platforms with their own authorization framework. This leads to interoperability problems for scientists of the same experiment, using their national Grid infrastructure. Usually VOs and resource providers share contracts to regulate resource usage. The enforcement of such arrangements needs an agreed interoperable authorization mechanism based on policies that can be written by VOs and resources providers. This process can be applied using a flexible and distributed policy framework, where complex relationships can be enforced being able to manage both policies created by VOs and policies created by Grid sites. G-PBox policy framework, in conjunction with VOMS Attribute Authority, is our proposal to represent, manage and distribute such policies in a transparent way. G-PBox approach is based on a set of XACML policies databases belonging separately to VOs and resource providers, each containing at least policies regarding it own organization. In this paper we describe how VO oriented tools like VOMS and G-PBox can be deployed across different VOs and resource providers. It will show how VO managers and sites administrators can set up agreed policies for resource sharing optimization and experiment computing prioritization, making best use of their time and resources. It will underline also that adoption of assertion and policy Grid standard, as SAML and XACML, provides an effective advantage in order to allow an accepted authentication and authorization interoperability among services of different Grid domains based on different mechanisms.