Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

VO Policies

From EGIWiki
Jump to navigation Jump to search

Template:VOServicesMainMenu



Introduction

This wiki page inteads to clarify the different available policies which a VO Administrator must be aware for setting up and operating a VO.

The full list of EGI policy documents, and the EGI Security Policy Glossary of Terms are available here:


Overview

The following picture provides a snapshot of the established policies hierarchy giving emphasis to what is important to have in mind from a VO perpective.


Policies Workflow.png


The Grid Security Policy

  • The Grid Security Policy is the general grid policy working as baseline from which all others derive. It defines the existing roles under a grid environment and introduces specific policies defining the responsabilities for each role.
  • The list of defined roles follows. This documentation will focus on the defined policies proposed for the Users and Virtual Organisation Management roles which are the ones involved directly in VO activities.
  1. Grid Management
  2. Grid Security Officer and Grid Security Operations
  3. Virtual Organisation Management
  4. Users
  5. Site Management
  6. Resource Administrators


Virtual Organisation Management

VO Operations Policy

  • The Virtual Organisation Management bodies are required to abide by the VO Operations Policy. Among a set of expressed duties, new important policies are introduced specially to what regards VO registrations in the grid infrastructure, VO membership management
  1. The Virtual Organisation Management bodies shall provide and maintain, in a central repository provided by the Grid, accurate contact information as specified in the VO Registration Security Policy. These contacts satisfy the communication requirements for management decisions, security actions and operational issues relating to VO membership and Grid usage, as well as your software and services. The contacts shall respond to enquiries in a timely fashion as defined in the Grid operational procedures giving priority to security problems.
  2. The Virtual Organisation Management responsibles shall ensure that a VO membership service is provided in compliance with the VO Membership Management Policy. This shall include the appropriate interfaces and configuration details to allow the generation of authentication, authorization and other identity mapping data for the services running on the Sites. The Virtual Organisation Management responsibles shall take reasonable measures to ensure that the information recorded in the membership service is correct and up-to-date.
  3. The Virtual Organisation Management bodies shall define a VO Acceptable Use Policy (VO AUP) and ensure that only individuals who have agreed to abide by the Grid AUP and the VO AUP, and have legitimate rights to membership, may be registered as members of the VO. Only individuals who have agreed to abide by the Grid AUP and the VO AUP may be registered as members of the VO.


  • Other VO Organisation duties Management include:
  1. Comply with the Grid security policies and any archival, accounting and logging requirements. VO Organisation Management shall periodically assess, at least once per year, your compliance with these policies and inform the Grid Security Officer of any violations encountered in the assessment, and correct such violations forthwith.
  2. VOs are responsible for promptly investigating reports of users failing to comply with the AUPs and for taking appropriate action to ensure compliance in the future.
  3. Ensure that the official VO software does not pose security threats, that access to your databases is secure and is sufficiently monitored, that your stored data are compliant with legal requirements, and that your VO services, including pilot job frameworks, are operated according to the applicable policy documents.
  4. Ensure that logged, archived and membership information is only used for administrative, operational, accounting, monitoring and security purposes. You shall ensure that due diligence is applied in maintaining the confidentiality of such information.
  5. Recognize that the Grid and the Sites may control your access to their resources for administrative, operational and security purposes.
  6. Ensure that any software used by you at a Site for its intended purposes, complies with applicable license conditions and you shall hold such Site free and harmless from any liability with respect thereto.
  7. Acknowledge that any software provided by the Grid is provided on an as-is basis only, and subject to its own license conditions. There is no guarantee that any service operated by the Grid is correct or sufficient for any particular purpose. The Grid, the Sites and other VOs are not liable for any loss or damage in connection with your participation in the Grid.
  8. Comply with the Grid incident response procedures and respond promptly to requests from Grid Security Operations. You shall inform users in cases where their access rights have changed.


Virtual Organization Registration Security Policy

VO REGISTRATION REQUIREMENTS

To satisfy the Grid security requirements the VO registration procedure must capture and maintain at least the following information:

1. VO name. For new VOs this name must conform to the standard described in Appendix A. Existing VOs are not required to change their registered VO name.

2. VO Acceptable Use Policy (see example provided in Appendix B).

3. A signed copy of the VO Operations Policy document.

4. Contact details and certificates for the VO Manager and at least one Alternate: 

* Name
* Employing Institute
* VO Role (Manager or Alternate)
* Email address
* Telephone number
* X.509 certificate issued by a Certification Authority approved for use on the Grid

5. A single email address of the security contact point to be used for reports of suspected identity compromises, misuse of resources or other security events related to the VO. Messages to this address should be handled confidentially and promptly.

6. The name of the Site, Infrastructure or other body responsible for running the VO Membership service, together with the URL of one or more VO Membership Servers. If a VO wishes to leave the Grid or the Grid decides to remove the VO, the registration information must be kept by the Grid for a minimum period consistent with the Traceability and Logging Policy. Personal registration information must not be retained for longer than one year. Additional operational requirements may be documented in the Grid-specific document describing the implementation of the VO Registration Procedure.

3 VO ACCEPTABLE USE POLICY The VO Acceptable Use Policy (AUP) is a statement which, by clearly describing the goals of the VO, defines the expected and acceptable usage of the Grid by the members of the VO. By requiring that all members of the VO who participate in the Grid agree to act within the constraints of the VO AUP the VO Manager defines a community of responsible users with a common goal. This definition enables Site Managers to decide whether to allow VO members to use their resources.

The VO AUP must: 

*bind VO members to abide by the Grid Acceptable Use Policy.
*state who gives authority to the Policy



Users

  • Users must be members of one of the registered VOs or application communities. The responsibilities of users include:
  1. Accept and agree to abide by the Grid Acceptable Use Policy and the VO Acceptable User Policy when they register or renew their VO registration.
  2. Be aware that their work may utilise shared resources and may therefore affect the work of others. They must show responsibility, consideration and respect towards other users in the demands they place on the Grid.
  3. Have a suitable authentication credential issued as approved by the Grid. They must ensure that others cannot use their credentials to masquerade as them or usurp their access rights.
  4. Be held responsible for all actions taken using their credentials, whether carried out personally or not. No intentional sharing of credentials for Grid purposes is permitted.
  5. Be aware that their jobs will often use resources owned by others. They must observe any restrictions on access to resources that they encounter and must not attempt to circumvent such restrictions.
  • Moreover, application software written or selected by users for execution on resources must be directed exclusively to the legitimate purposes of their VO. Such software must respect the autonomy and privacy of the host sites on whose resources it may run.



Grid Acceptable Use Policy

Provavelmente a retirar

1 GRID ACCEPTABLE USE POLICY By registering as a Grid user you shall be deemed to accept these conditions of use:

1. You shall only use the Grid to perform work, or transmit or store data consistent with the stated goals, policies and conditions of use as defined by the body or bodies granting you access.

2. You shall not use the Grid for any unlawful purpose and not (attempt to) breach or circumvent any Grid administrative or security controls.

3. You shall respect intellectual property and confidentiality agreements.

4. You shall protect your access credentials (e.g. private keys or passwords).

5. You shall immediately report any known or suspected security breach or misuse of the Grid or access credentials to the incident reporting locations specified by the Grid and to the relevant credential issuing authorities.

6. You must notify the Registrar of any changes to your Registration Information.

7. Use of the Grid is at your own risk. There is no guarantee that the Grid will be available at any time or that it will suit any purpose.

8. Logged information, including information provided by you for registration purposes, is used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed, via secured mechanisms, only for the same purposes and only as far as necessary to other organisations cooperating with the Grid. Although efforts are made to maintain confidentiality, no guarantees are given.

9. The access-granting bodies and Resource Providers are entitled to regulate, suspend or terminate your access, within their domain of authority, and you shall immediately comply with their instructions.

10. You are liable for the consequences of you violating any of these conditions of use.

Other relevant policies

VO Portal Policy

Retrieved from "https://wiki.egi.eu/w/index.php?title=VO_Policies&oldid=20062"