Resource Rights Architecture

Scalable authorization for autonomous scientific agents

Agent accessing federated resources with resource rights

Scientific cyberinfrastructure is undergoing a fundamental transformation as autonomous AI agents become active participants in scientific discovery. Rather than serving solely as interactive assistants, these agents increasingly design simulations, analyze experimental results, orchestrate workflows, control laboratory instruments, and coordinate complex computational campaigns.

The challenge: Existing authorization mechanisms were designed for direct human interaction with individual resources. They do not scale naturally to machine-mediated science where thousands of agents act on behalf of researchers across federated facilities.

A potential solution: The Resource Rights Architecture treats authority as an explicit, measurable, delegable, and revocable object—independent of the identity currently exercising it. Resource rights represent the authority to consume or manipulate scientific resources: computational allocations, storage capacity, instrument time, repository access, workflow execution, and AI services.


Documents

Resource Rights Architecture

The main paper

Presents the resource rights abstraction and the federated authorization model in which allocation authorities issue resource rights, scientists delegate bounded subsets to autonomous agents, and resource providers authorize requests by validating presented rights against local policy.

Key topics: Resource rights model, delegation chains, runtime authorization, security properties, threat model

Delegation Service Specification

Technical specification

Detailed specification of the Delegation Service that manages resource right delegation chains, validates constraints, and provides runtime authorization decisions for autonomous agents operating within scientific cyberinfrastructure.

Key topics: API specification, delegation protocol, constraint validation, revocation handling

ALCF Implementation Design

DOE facility deployment

Implementation design for deploying the Resource Rights Architecture at the Argonne Leadership Computing Facility (ALCF), showing how the architecture integrates with existing DOE identity management, allocation systems, and HPC schedulers.

Key topics: ALCF integration, PBS hooks, Globus Auth, allocation mapping


Prototype Implementation

A reference implementation of the core Delegation Service is available:

Delegation Service Prototype

Python implementation demonstrating delegation chain validation, constraint propagation, and runtime authorization queries. Includes test suite and example delegation scenarios.

ResourceRights/prototype/
├── src/                    # Core implementation
├── tests/                  # Test suite  
├── delegations.json        # Example delegation chains
├── pyproject.toml          # Package configuration
└── README.md               # Setup and usage guide

Quick start:

cd prototype
pip install -e .
pytest                      # Run tests

Key Concepts

Concept Description
Resource Right A transferable token representing bounded authority over a scientific resource
Delegation Chain A sequence of delegations from an allocation authority through intermediaries to an agent
Constraint Narrowing Each delegation may only narrow (never expand) the constraints of its parent
Runtime Authorization Resource providers validate presented rights against local policy at request time
Revocation Any link in a delegation chain can be revoked, immediately invalidating all downstream rights

Architecture Overview

flowchart LR
    subgraph "Allocation Authority"
        AA[Allocation<br>Authority]
    end
    
    subgraph "Scientists"
        S1[Principal<br>Investigator]
        S2[Team<br>Member]
    end
    
    subgraph "Agents"
        A1[Analysis<br>Agent]
        A2[Workflow<br>Agent]
    end
    
    subgraph "Resources"
        R1[HPC<br>System]
        R2[Storage]
        R3[Instruments]
    end
    
    AA -->|"issue"| S1
    S1 -->|"delegate"| S2
    S1 -->|"delegate"| A1
    S2 -->|"delegate"| A2
    
    A1 -.->|"present rights"| R1
    A1 -.->|"present rights"| R2
    A2 -.->|"present rights"| R3

The architecture separates identity, authority, policy, and accounting into independent concerns:


This architecture builds on concepts from:

See the Related Work section in the main paper for detailed discussion.


Contact

For questions or collaboration inquiries, contact the authors through the Agents for Science community.