SPG:Drafts:VO Membership Management
- 1 VIRTUAL ORGANISATION MEMBERSHIP MANAGEMENT POLICY: INTRODUCTION
This policy defines the minimum requirements on Virtual Organisation (VO) Managers for managing the members of their VOs.
- 2 SCOPE AND AUDIENCE
This document is aimed primarily at VO Managers. It defines the checks VO Managers must make to verify the eligibility of their members to join and to remain in the VO. These are independent of the implementation of the underlying technology. It does not address the security requirements for running the actual VO Membership service. The VO Manager does not necessarily have to be a member of the VO or to have signed and agreed to the VO AUP. This function may be performed by a member of a Grid or Site operations team as a service for the VO.
- 3 DEFINITIONS
Data supplied by the user: • Personal user data: o Family Name, o Given Name, o Institute name, i.e. the user’s employing institute (this is required if the user's membership eligibility derives from his/her institutional affiliation) o Contact Phone number (this is optional, but the VO Manager may need to contact the user promptly during investigation of security incidents) • Registration Data: Authentication (AuthN) related information: o Personal user data, o Email address, o DistinguishedName (DN) extracted from a valid personal digital certificate issued by his/her Certification Authority (CA). Other relevant terms: • VO Database: Authorisation (AuthZ) related information, i.e. the user's role(s) in the VO, is stored in this database. His/her access rights to a resource and on data stored at it will depend on this information. • VO Manager: The responsible person recording in the VO Database, after appropriate checks, the status of a member of the VO, i.e. performing user entries, assignment of roles, information updates and user removals. The VO management function can be performed by a group of persons delegated by the VO Manager. The VO Manager does not necessarily have to be a member of the VO or to have signed and agreed to the VO AUP. This function may be performed by a member of a Grid or Site operations team as a service for the VO. All VO Managers must comply with the requirements of this policy. • Institute Representative (IR): If appointed, this person at the user’s employing institute is able to check the validity of his/her data and confirm the identity of the user and his/her right to become or remain a member of a VO. • VO Registration Information: Data stored by the Grid describing information about the VO.
- 4 MEMBERSHIP MANAGEMENT REQUIREMENTS
The VO must appoint a VO manager and at least one deputy who are responsible for implementing procedures meeting the requirements of this policy. These are important roles which carry operational responsibilities; non-responsiveness of the VO manager or deputies may lead to the suspension of the VO from the Grid. The VO membership management procedures must ensure that:
- only individuals who have agreed to abide by the VO AUP are registered as members of the VO,
- accurate Registration Data is maintained for all VO members.
Membership of a VO is not necessarily restricted to real persons. Hosts, Services and/or Robots (unattended automated processes acting on behalf of the VO) may also be registered in the VO. In the case of these non-personal registrations, the Registration Data must include the personal details of the real person requesting registration and assuming ongoing responsibility for the entity. The VO Manager must publish a description of the methods used to verify user data at registration time and periodically review users' affiliation with the VO according to the requirements in the following sub-sections.
- 4.1 Appointment of the VO Manager
The VO should determine how it appoints and replaces its VO manager and deputies.
- 4.2 Membership Registration
Membership Registration is the process by which people first join the VO. An important objective of this process is to collect the user’s Registration Data. Accurate Registration Data must be maintained for all VO members. VO Managers must check the validity of the user Registration Data and check the user's eligibility for special authorisation (Groups/Roles). Replication of Personal user data and multiple validation and authentication should be avoided so that Grid users register only once with each VO and their Registration Data are checked only in a single place. The procedures must unambiguously assign the individuals who take responsibility for the validity of the Registration Data provided, and those with the authority to exercise control over the rights of the user to use Grid resources. This may include an Institute Representative, as defined above, and/or Site Managers.
- 4.3 Acceptable Use Policy
An important purpose of the registration process is to record the explicit acceptance by the user of the Grid AUP and the VO AUP as well as the acceptance, by the user, that part of his/her information including Personal user data may be made available to the Sites and Grid Operations.
- 4.4 Membership Renewal
The membership renewal process must include: • Confirmation, by the VO Manager, that continued membership of VO is still allowed, • Confirmation or update of all data provided during registration and all special authorisations, • Reaffirmed acceptance by the user of the Grid AUP and the VO AUP. Membership of the VO must be renewed at least every 12 months. Additionally all members of the VO should renew following a major change to the Grid Acceptable Use Policy.
- 4.5 Membership Removal
The following conditions should trigger a timely re-evaluation of the user’s right to remain a member of a given VO: • User or IR request. Ideally, the user should be able to remove themselves from the VO without involvement of the VO Manager, • Renewal failed to complete in allotted time, • End of collaboration between the user’s institute and the VO, if applicable, • End of collaboration between the user and the VO, • End of collaboration between the user and his/her institute, if applicable. Note that some VOs may not maintain relationships with institutes. The fact that the VO does not maintain relationships with institutes should be recorded on the VO Registration Information.
- 4.6 Membership Suspension