SPG:Drafts:VO Membership Management
- 1 VIRTUAL ORGANISATION MEMBERSHIP MANAGEMENT POLICY: INTRODUCTION
This policy defines the minimum requirements on Virtual Organisation (VO) Managers for managing the members of their VOs.
- 2 SCOPE AND AUDIENCE
This document is aimed primarily at VO Managers. It defines the checks VO Managers must make to verify the eligibility of their members to join and to remain in the VO. These are independent of the implementation of the underlying technology. It does not address the security requirements for running the actual VO Membership service. The VO Manager does not necessarily have to be a member of the VO or to have signed and agreed to the VO AUP. This function may be performed by a member of a Grid or Site operations team as a service for the VO.
- 3 DEFINITIONS
Data supplied by the user: • Personal user data: o Family Name, o Given Name, o Institute name, i.e. the user’s employing institute (this is required if the user's membership eligibility derives from his/her institutional affiliation) o Contact Phone number (this is optional, but the VO Manager may need to contact the user promptly during investigation of security incidents) • Registration Data: Authentication (AuthN) related information: o Personal user data, o Email address, o DistinguishedName (DN) extracted from a valid personal digital certificate issued by his/her Certification Authority (CA). Other relevant terms: • VO Database: Authorisation (AuthZ) related information, i.e. the user's role(s) in the VO, is stored in this database. His/her access rights to a resource and on data stored at it will depend on this information. • VO Manager: The responsible person recording in the VO Database, after appropriate checks, the status of a member of the VO, i.e. performing user entries, assignment of roles, information updates and user removals. The VO management function can be performed by a group of persons delegated by the VO Manager. The VO Manager does not necessarily have to be a member of the VO or to have signed and agreed to the VO AUP. This function may be performed by a member of a Grid or Site operations team as a service for the VO. All VO Managers must comply with the requirements of this policy. • Institute Representative (IR): If appointed, this person at the user’s employing institute is able to check the validity of his/her data and confirm the identity of the user and his/her right to become or remain a member of a VO. • VO Registration Information: Data stored by the Grid describing information about the VO.
- 4 MEMBERSHIP MANAGEMENT REQUIREMENTS