Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "VO Policies"

From EGIWiki
Jump to navigation Jump to search
 
(203 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= VO Policies =
{{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}}


[[File:VO_Policy_Workflow.jpg|right]]
= Introduction  =


The Virtual Organisations (VO) , like every site partipating in the Grid autonomously owns and follows their own local security policies. This policies are established by setting out by additional specific requirements.  
This wiki page intends to clarify the different policies of which a VO Administrator must be aware while setting up and operating a VO integrated in the EGI.  


This page was set in order to help VO's trough the VO policies they must follow including the registration process. The workflow they must follow is show on the right picture and the necessary documents are:
#VO managers should read the <big>'''[https://documents.egi.eu/document/77 VO Operations Policy]'''</big> to understand their duties
#VO managers should read and be aware of the <big>'''[https://documents.egi.eu/public/ShowDocument?docid=85 Grid Policy on the Handling of User-Level Job Accounting Data]'''</big>
#VO managers should follow the <big>'''[[PROC14|VO Registration Procedure]]'''</big> while registering the VO in the EGI Operations Portal to make sure that the <big>'''[https://documents.egi.eu/document/78 VO Registration Security Policy]'''</big> is fulfilled.
#VO Managers should deploy a VO membership service (like the gLite VOMS) fulfilling all the requirements defined in the <big>'''[https://documents.egi.eu/document/79 VO Membership Management Policy]'''</big>.
#The VO Managers must define a <big>'''VO Acceptable Use Policy (VO AUP)'''</big> and ensure that only individuals who have agreed to abide by the <big>'''[https://documents.egi.eu/document/74 Grid Acceptable Use Policy (Grid AUP)]'''</big> and the <big>'''VO AUP'''</big>, and have legitimate rights to membership, may be registered as members of the VO.


*[https://documents.egi.eu/document/86 Grid Security Policy]
<br>


*[https://documents.egi.eu/document/75 Virtual Organization Operation Policy]
= Overview  =


*[https://documents.egi.eu/document/78 Virtual Organisation Registration Security Policy]
The following picture provides a snapshot of the established policies hierarchy giving emphasis to what is important to have in mind from a VO perspective.  


*[https://documents.egi.eu/document/81 Traceability and Logging Policy]
<br>


*[https://documents.egi.eu/document/79 Virtual Organization Membership Management Policy]
[[Image:Policies Workflow.png|center|900px|Policies Workflow.png]]  


*[https://documents.egi.eu/document/74 Grid Acceptable Use Policy]
<br>


*[https://documents.egi.eu/document/278 VO Registration Process]
#The <big>[https://documents.egi.eu/document/86 '''Grid Security Policy''']</big> defines the different roles existing under a grid environment. Among those, there are the ''VO Management'' and the ''VO Users''.
#VO Managers, before starting operating, should be aware of all their duties described under the <big>'''[https://documents.egi.eu/document/77 VO Operations Policy]'''</big>.
#Among the most important duties, VO Managers should follow the <big>'''[[PROC14 VO Registration|EGI VO registration procedure]]'''</big> to register the VO in the EGI Operation Portal and the EGI central repository. That procedure ensures that the necessary and mandatory information is provided, in coherence with the definitions imposed by the <big>'''[https://documents.egi.eu/document/78 VO Registration Security Policy]'''</big>.
#The VO Managers must define a <big>'''VO Acceptable Use Policy (VO AUP)'''</big> and ensure that only individuals who have agreed to abide by the <big>'''[https://documents.egi.eu/document/74 Grid Acceptable Use Policy (Grid AUP)]'''</big> and the <big>'''VO AUP'''</big>, and have legitimate rights to membership, are registered as members of the VO.
#VO Managers should deploy a VO membership service provided in compliance with the <big>'''[https://documents.egi.eu/document/79 VO Membership Management Policy]'''</big>. Examples of such services available in EGI is the gLite Virtual Organisation Management Services (gLite VOMS).


= [https://documents.egi.eu/public/RetrieveFile?docid=86&version=7&filename=EGI-SPG-SecurityPolicy-V1_0.pdf GRID SECURITY POLICY] =
More detailed explanations regarding EGI policies and their dependencies relevant to VOs activities are presented in the following sections.  


<br>


Every site participating in the Grid autonomously owns and follows their own local security policies with respect to the system administration and networking of all the resources they own, including resources which are part of the Grid. This policy augments local policies by setting out additional Grid-specific requirements.
= The Grid Security Policy  =


*The <big>[https://documents.egi.eu/document/86 '''Grid Security Policy''']</big> is the general grid policy working as baseline from which all others derive. It defines the existing roles under a grid environment and introduces specific policies defining the responsabilities for each role.


*The list of defined roles follows. This documentation will focus on the defined policies proposed for the '''Users''' and '''Virtual Organisation Management''' roles which are the ones involved directly in VO activities.


== Virtual Organisation Management ==
#Grid Management
#Grid Security Officer and Grid Security Operations
#'''Virtual Organisation Management'''
#'''Users'''
#Site Management
#Resource Administrators


The responsibilities of the VO management include:
<br>


=== VO Security Policies ===
== Virtual Organisation Managers duties  ==


VOs are required to abide by the Virtual Organisation Operations Policy [9] and the Virtual
*The duties and responsibilities of the VO managers are clearly stated in the <big>[https://documents.egi.eu/document/77 '''VO Operations Policy''']</big>, presented in detail [[VO Policies#VO_Operations_Policy_below]].
Organisation Registration Security Policy [2]. They must have a VO Acceptable Use Policy (AUP)
and ensure that only individuals who have agreed to abide by the Grid AUP [1] and the VO AUP are
registered as members of the VO.


=== User Registration and VO Membership Service ===
<br>


The user registration procedure of the VO is required to be consistent with the Virtual Organisation
== Users duties  ==
Membership Management Policy [8]. Approval to join the VO must be restricted to individuals who
are recognised as having legitimate rights to membership and who agree to be bound by the AUPs. A
VO membership service must be provided with appropriate interfaces to generate authentication,
authorization and other identity mapping data for the services running on the sites. VOs are required to
maintain the accuracy of the information held and published about their members, and to promptly
remove individuals who lose their right to such membership.


=== VO‐specific Resources ===
*Users must be members of one of the registered VOs or application communities. The responsibilities of users include:


VOs are responsible for ensuring that their software does not pose security threats, that access to their
#Accept and agree to abide by the <big>'''[https://documents.egi.eu/document/74 Grid Acceptable User Policy]'''</big> and the <big>'''VO Acceptable User Policy'''</big> when they register or renew their VO registration.
databases is secure and is sufficiently monitored, that their stored data are compliant with legal
#Be aware that their work may utilise shared resources and may therefore affect the work of others. They must show responsibility, consideration and respect towards other users in the demands they place on the Grid.
requirements, and that VO-specific services are properly monitored and do not compromise sites or
#Have a suitable authentication credential issued as approved by the Grid. They must ensure that others cannot use their credentials to masquerade as them or usurp their access rights.
resources.
#Be held responsible for all actions taken using their credentials, whether carried out personally or not. No intentional sharing of credentials for Grid purposes is permitted.
=== Applying Sanctions to Users ===
#Be aware that their jobs will often use resources owned by others. They must observe any restrictions on access to resources that they encounter and must not attempt to circumvent such restrictions.  
VOs are responsible for promptly investigating reports of users failing to comply with the AUPs and
#Write and use application software directed exclusively to the legitimate purposes of their VO. Such software must respect the autonomy and privacy of the host sites on whose resources it may run.
for taking appropriate action to ensure compliance in the future, as defined in section 6.


== Users ==
<br>


All users must be members of one of the registered VOs or application communities.
= VO Operations Policy  =
The responsibilities of users include:


=== Acceptable Use ===
*The Virtual Organisation Management bodies are required to abide by the <big>[https://documents.egi.eu/document/77 '''VO Operations Policy''']</big>. Among a set of expressed duties, new important policies are introduced specially to what regards VO registrations in the grid infrastructure and VO membership management:


*Users must accept and agree to abide by the Grid Acceptable Use Policy [1] and the VO AUP when they register or renew their registration with a VO.
#The Virtual Organisation Management bodies shall provide and maintain, in a central repository provided by the Grid (EGI Operations Portal), accurate contact information as specified in the <big>'''[https://documents.egi.eu/document/78 VO Registration Security Policy]'''</big>. These contacts satisfy the communication requirements for management decisions, security actions and operational issues relating to VO membership and Grid usage, as well as your software and services. The contacts shall respond to enquiries in a timely fashion as defined in the Grid operational procedures giving priority to security problems. The steps to register a VO in the EGI Operations Portal are explained in detail in the <big>'''[[PROC14|EGI VO Registration Procedure]]'''</big>.  
*Users must be aware that their work may utilise shared resources and may therefore affect the work of others. They must show responsibility, consideration and respect towards other users in the demands they place on the Grid.
#The Virtual Organisation Management responsibles shall ensure that a VO membership service is provided in compliance with the <big>'''[https://documents.egi.eu/document/79 VO Membership Management Policy]'''</big>. This shall include the appropriate interfaces and configuration details to allow the generation of authentication, authorization and other identity mapping data for the services running on the Sites. The Virtual Organisation Management responsibles shall take reasonable measures to ensure that the information recorded in the membership service is correct and up-to-date. Example of such service available in EGI infrastructure is the gLite Virtual Organisation Management Services (gLite VOMS).  
*Users must have a suitable authentication credential issued as approved by the Grid. They must ensure that others cannot use their credentials to masquerade as them or usurp their access rights.
#The Virtual Organisation Management bodies shall define a <big>'''VO Acceptable Use Policy (VO AUP)'''</big> and ensure that only individuals who have agreed to abide by the <big>'''Grid Acceptable Use Policy (Grid AUP)'''</big> and the VO AUP, and have legitimate rights to membership, may be registered as members of the VO.
*Users may be held responsible for all actions taken using their credentials, whether carried out personally or not. No intentional sharing of credentials for Grid purposes is permitted.
*Users must be aware that their jobs will often use resources owned by others. They must observe any restrictions on access to resources that they encounter and must not attempt to circumvent such restrictions.
*Application software written or selected by users for execution on resources must be directed exclusively to the legitimate purposes of their VO. Such software must respect the autonomy and privacy of the host sites on whose resources it may run.


*Other VO Organisation duties Management include:


'''Other policies related to site management and resource administration are also addressed in the [https://documents.egi.eu/public/RetrieveFile?docid=86&version=7&filename=EGI-SPG-SecurityPolicy-V1_0.pdf Grid Security Policy Document]'''
#Comply with the Grid security policies and any archival, accounting and logging requirements defined under the [https://documents.egi.eu/document/81 Grid Security Traceability and Logging Policy]. VO Organisation Management shall periodically assess, at least once per year, your compliance with these policies and inform the Grid Security Officer of any violations encountered in the assessment, and correct such violations forthwith.
#VOs are responsible for promptly investigating reports of users failing to comply with the AUPs and for taking appropriate action to ensure compliance in the future.
#Ensure that the official VO software does not pose security threats, that access to your databases is secure and is sufficiently monitored, that your stored data are compliant with legal requirements, and that your VO services, including pilot job frameworks, are operated according to the applicable policy documents.
#Ensure that logged, archived and membership information is only used for administrative, operational, accounting, monitoring and security purposes. You shall ensure that due diligence is applied in maintaining the confidentiality of such information.
#Recognize that the Grid and the Sites may control your access to their resources for administrative, operational and security purposes.
#Ensure that any software used by you at a Site for its intended purposes, complies with applicable license conditions and you shall hold such Site free and harmless from any liability with respect thereto.
#Acknowledge that any software provided by the Grid is provided on an as-is basis only, and subject to its own license conditions. There is no guarantee that any service operated by the Grid is correct or sufficient for any particular purpose. The Grid, the Sites and other VOs are not liable for any loss or damage in connection with your participation in the Grid.
#Comply with the [https://documents.egi.eu/document/47 Grid incident response procedures] and the [https://documents.egi.eu/document/82 Grid Incident Response Policy], and respond promptly to requests from Grid Security Operations. You shall inform users in cases where their access rights have changed.


= [https://documents.egi.eu/public/RetrieveFile?docid=77&version=5&filename=EGI-SPG-VOOperations-V1_0.pdf VIRTUAL ORGANISATION OPERATIONS POLICY]=
<br>


* You shall provide and maintain, in a central repository provided by the Grid, accurate contact information as specified in the VO Registration Policy. These contacts satisfy the communication requirements for management decisions, security actions and operational issues relating to VO membership and Grid usage, as well as your software and services. The contacts shall respond to enquiries in a timely fashion as defined in the Grid operational procedures giving priority to security problems.
= Grid Policy on the Handling of User-Level Job Accounting Data  =


* You shall comply with the Grid security policies, the VO AUP and any archival, accounting and logging requirements. You shall periodically assess, at least once per year, your compliance with these policies and inform the Grid Security Officer of any violations encountered in the assessment, and correct such violations forthwith.
This document addresses the handling of accounting data resulting from the execution of jobs on the Grid. It does not cover any other forms of accounting or monitoring data.  


* You shall ensure that a VO membership service is provided in compliance with the VO Membership Management Policy. This shall include the appropriate interfaces and configuration details to allow the generation of authentication, authorization and other identity mapping data for the services running on the Sites. You shall take reasonable measures to ensure that the information recorded in the membership service is correct and up-to-date.
The document is aimed at EU-based Grids and more specifically at:


* You are responsible for ensuring that your software does not pose security threats, that access to your databases is secure and is sufficiently monitored, that your stored data are compliant with legal requirements, and that your VO services, including pilot job frameworks, are operated according to the applicable policy documents.
#Site Managers to allow them to share user-level job accounting with the Grid, for the purposes described below.
#VO Resource Managers and the Grid Operations personnel who have access to the user-level accounting from more than one site.


* You shall ensure that logged, archived and membership information is only used for administrative, operational, accounting, monitoring and security purposes. You shall ensure that due diligence is applied in maintaining the confidentiality of such information.
= VO Registration Security Policy  =


* You recognize that the Grid and the Sites may control your access to their resources for administrative, operational and security purposes.
*The requirements imposed by the <big>'''[https://documents.egi.eu/document/78 Virtual Organization Registration Security Policy]'''</big> are defined to capture and maintain the following information:


* You shall ensure that any software used by you at a Site for its intended purposes, complies with applicable license conditions and you shall hold such Site free and harmless from any liability with respect thereto.
#VO name
#VO Acceptable Use Policy
#Contact details and certificates for the VO Manager and at least one deputy: Name, Employing Institute, VO Role (Manager or Alternate), Email address, Telephone number, X.509 certificate issued by a Certification Authority approved for use on the Grid
#A single email address of the security contact point to be used for reports of suspected identity compromises, misuse of resources or other security events related to the VO. Messages to this address should be handled confidentially and promptly.
#The name of the Site, Infrastructure or other body responsible for running the VO Membership service, together with the URL of one or more VO Membership Servers.


* Any software provided by the Grid is provided on an as-is basis only, and subject to its own license conditions. There is no guarantee that any service operated by the Grid is correct or sufficient for any particular purpose. The Grid, the Sites and other VOs are not liable for any loss or damage in connection with your participation in the Grid.
*VO Managers should follow the <big>'''[[PROC14|EGI VO registration procedure]]'''</big> to register the VO in the EGI Operation Portal, the EGI central repository. That procedure ensures that the necessary and mandatory information is provided, in coherence with the definitions imposed by the current policy.


* You shall comply with the Grid incident response procedures and respond promptly to requests from Grid Security Operations. You shall inform users in cases where their access rights have changed.
*The policy also determines that, if a VO wishes to leave the Grid or the Grid decides to remove the VO, the registration information must be kept by the Grid for a minimum period consistent with the [https://documents.egi.eu/document/81 Grid Traceability and Logging Policy]. Personal registration information must not be retained for longer than one year.


* Disputes resulting from your participation in the Grid shall be resolved according to the Grid escalation procedures.
<br>


=[https://documents.egi.eu/public/RetrieveFile?docid=78&version=6&filename=EGI-SPG-VORegistration-V1_0.pdf VIRTUAL ORGANISATION REGISTRATION SECURITY POLICY]=
= VO Membership Management Policy  =


*The <big>'''[https://documents.egi.eu/document/79 VO Membership Management Policy]'''</big> defines the minimum requirements on VO Managers for managing the members of their VOs. It defines the data that must be supplied by the user, and the checks VO Managers must make to verify the eligibility of their members to join and to remain in the VO.


2 VO REGISTRATION REQUIREMENTS
*The gLite Virtual Organisation Management Services (gLite VOMS) is one of the services which fulfils all the requirements described in the <big>'''[https://documents.egi.eu/document/79 VO Membership Management Policy]'''</big>, and depicted hereafter.
To satisfy Grid security requirements a VO registration procedure must capture and maintain at least
the following information:
1. VO name. For new VOs this name must conform to the standard described in Appendix A.
Existing VOs are not required to change their registered VO name.


2. VO Acceptable Use Policy (see example provided in Appendix B).
<br>


3. A signed copy of the  [https://documents.egi.eu/document/77 VO Operations Policy]
== Requirements on data supplied by the user ==
document.


4. Contact details and certificates for the VO Manager and at least one Alternate:
*The user, at registration time, must supply the following information '''Personal Data''':
o Name
o Employing Institute
o VO Role (Manager or Alternate)
o Email address
o Telephone number
o X.509 certificate issued by a Certification Authority approved for use on the Grid


5. A single email address of the security contact point to be used for reports of suspected identity
#Personal user data:
compromises, misuse of resources or other security events related to the VO. Messages to this
#Family Name,
address should be handled confidentially and promptly.
#Given Name,
#Institute name, i.e. the user’s employing institute (this is required if the user's membership eligibility derives from his/her institutional affiliation)
#Contact Phone number (this is optional, but the VO Manager may need to contact the user promptly during investigation of security incidents)


6. The name of the Site, Infrastructure or other body responsible for running the VO Membership service, together with the URL of one or more VO Membership Servers.
*The following '''Registration Data''' should be also provided / offered by the user:
If a VO wishes to leave the Grid or the Grid decides to remove the VO, the registration information must be kept by the Grid for a minimum period consistent with the [https://documents.egi.eu/document/81 Traceability and Logging Policy]. Personal registration information must not be retained for longer than one year. Additional operational requirements may be documented in the Grid-specific document describing the implementation of the VO Registration Procedure.


3 VO ACCEPTABLE USE POLICY
#Personal user data,
The VO Acceptable Use Policy (AUP) is a statement which, by clearly describing the goals of the VO, defines the expected and acceptable usage of the Grid by the members of the VO. By requiring that all members of the VO who participate in the Grid agree to act within the constraints of the VO AUP the VO Manager defines a community of responsible users with a common goal. This definition enables Site Managers to decide whether to allow VO members to use their resources.
#Email address,
#Distinguished Name (DN) extracted from a valid personal digital certificate issued by his/her Certification Authority (CA).


The VO AUP must:
<br>
*bind VO members to abide by the [https://documents.egi.eu/document/74 Grid Acceptable Use Policy].
*state who gives authority to the Policy


= [https://documents.egi.eu/public/RetrieveFile?docid=78&version=6&filename=EGI-SPG-VORegistration-V1_0.pdf GRID ACCEPTABLE USE POLICY]=
== Membership Management Requirements  ==
'''Provavelmente a retirar'''


1 GRID ACCEPTABLE USE POLICY
*The VO must appoint a VO manager and at least one deputy who are responsible for implementing procedures meeting the requirements of this policy. These are important roles which carry operational responsibilities; non-responsiveness of the VO manager or deputies may lead to the suspension of the VO from the Grid.
By registering as a Grid user you shall be deemed to accept these conditions of use:


1. You shall only use the Grid to perform work, or transmit or store data consistent with the
*The VO membership management procedures must ensure that:
stated goals, policies and conditions of use as defined by the body or bodies granting you
access.


2. You shall not use the Grid for any unlawful purpose and not (attempt to) breach or circumvent
#only individuals who have agreed to abide by the VO AUP are registered as members of the VO;
any Grid administrative or security controls.
#accurate Registration Data is maintained for all VO members.


3. You shall respect intellectual property and confidentiality agreements.
*Membership of a VO is not necessarily restricted to real persons. Hosts, services and/or robots (unattended automated processes acting on behalf of the VO) may also be registered in the VO. In the case of these non-personal registrations, the Registration Data must include the personal details of the real person requesting registration and assuming ongoing responsibility for the entity.


4. You shall protect your access credentials (e.g. private keys or passwords).
*The VO Manager must publish a description of the methods used to verify user data at registration time and periodically review users' affiliation.


5. You shall immediately report any known or suspected security breach or misuse of the Grid or
<br>
access credentials to the incident reporting locations specified by the Grid and to the relevant
credential issuing authorities.


6. You must notify the Registrar of any changes to your Registration Information.
=== Membership Registration ===


7. Use of the Grid is at your own risk. There is no guarantee that the Grid will be available at
*Membership Registration is the process by which people first join the VO. An important objective of this process is to collect the user’s Registration Data. Accurate Registration Data must be maintained for all VO members. VO Managers must check the validity of the user Registration Data and check the user's eligibility for special authorisation (Groups/Roles). The following requirements should apply to the Membership Registration process:
any time or that it will suit any purpose.


8. Logged information, including information provided by you for registration purposes, is used
#Replication of Personal user data and multiple validation and authentication should be avoided so that Grid users register only once with each VO and their Registration Data are checked only in a single place.  
for administrative, operational, accounting, monitoring and security purposes only. This
#The procedures must unambiguously assign the individuals who take responsibility for the validity of the Registration Data provided, and those with the authority to exercise control over the rights of the user to use Grid resources. This may include an Institute Representative, as defined above, and/or Site Managers.
information may be disclosed, via secured mechanisms, only for the same purposes and only
#An important purpose of the registration process is to record the explicit acceptance by the user of the Grid AUP and the VO AUP as well as the acceptance, by the user, that part of his/her information including Personal user data may be made available to the Sites and Grid Operations.
as far as necessary to other organisations cooperating with the Grid. Although efforts are
made to maintain confidentiality, no guarantees are given.


9. The access-granting bodies and Resource Providers are entitled to regulate, suspend or
<br>
terminate your access, within their domain of authority, and you shall immediately comply
with their instructions.


10. You are liable for the consequences of you violating any of these conditions of use.
=== Membership Renewal  ===


= [https://documents.egi.eu/public/RetrieveFile?docid=79&version=6&filename=EGI-SPG-VOManagement-V1_0.pdf VIRTUAL ORGANISATION MEMBERSHIP MANAGEMENT POLICY]=
*The membership renewal process must include:


Data supplied by the user:
#Confirmation, by the VO Manager, that continued membership of VO is still allowed.
*Personal user data:
#Confirmation or update of all data provided during registration and all special authorisations.
*Family Name,
#Reaffirmed acceptance by the user of the Grid AUP and the VO AUP.
*Given Name,
*Institute name, i.e. the user’s employing institute (this is required if the user's membership eligibility derives from his/her institutional affiliation)
*Contact Phone number (this is optional, but the VO Manager may need to contact the user promptly during investigation of security incidents)


Registration Data: Authentication (AuthN) related information:
*Membership of the VO must be renewed at least every 12 months. Additionally all members of the VO should renew following a major change to the Grid Acceptable Use Policy.
*Personal user data,
*Email address,
*DistinguishedName (DN) extracted from a valid personal digital certificate issued by his/her Certification Authority (CA).  


Other relevant terms:
<br>


''' VO Database:''' Authorisation (AuthZ) related information, i.e. the user's role(s) in the VO, is stored in this database. His/her access rights to a resource and on data stored at it will depend on this information.
=== Membership Removal  ===


''' VO Manager:''' The responsible person recording in the VO Database, after appropriate checks, the status of a member of the VO, i.e. performing user entries, assignment of roles, information updates and user removals. The VO management function can be performed by a group of persons delegated by the VO Manager. The VO Manager does not necessarily have to be a member of the VO or to have signed and agreed to the VO AUP. This function may be performed by a member of a Grid or Site operations team as a service for the VO. All VO Managers must comply with the requirements of this policy.
*The following conditions should trigger a timely re-evaluation of the user’s right to remain a member of a given VO:


'''Institute Representative (IR):''' If appointed, this person at the user’s employing institute is able to check the validity of is/her data and confirm the identity of the user and his/her right to become or remain a member of a VO.
#User or IR request. Ideally, the user should be able to remove themselves from the VO without involvement of the VO Manager,
#Renewal failed to complete in allotted time,  
#End of collaboration between the user’s institute and the VO, if applicable,
#End of collaboration between the user and the VO,
#End of collaboration between the user and his/her institute, if applicable.


'''VO Registration Information:''' Data stored by the Grid describing information about the VO.
*Note that some VOs may not maintain relationships with institutes. The fact that the VO does not maintain relationships with institutes should be recorded on the VO Registration Information.


4 MEMBERSHIP MANAGEMENT REQUIREMENTS
<br>
The VO must appoint a VO manager and at least one deputy who are responsible for implementing procedures meeting the requirements of this policy. These are important roles which carry operational responsibilities; non-responsiveness of the VO manager or deputies may lead to the suspension of the VO from the Grid.


The VO membership management procedures must ensure that:
=== Membership Suspension ===
  *only individuals who have agreed to abide by the VO AUP are registered as members of the VO,
*accurate Registration Data is maintained for all VO members.


Membership of a VO is not necessarily restricted to real persons. Hosts, Services and/or Robots (unattended automated processes acting on behalf of the VO) may also be registered in the VO. In the case of these non-personal registrations, the Registration Data must include the personal details of the real person requesting registration and assuming ongoing responsibility for the entity.
*The suspension of VO membership is the temporary removal of the user from the VO.
The VO Manager must publish a description of the methods used to verify user data at registration time and periodically review users' affiliation with the VO according to the requirements in the following sub-sections.


4.1 Appointment of the VO Manager
*The VO Manager must cooperate fully with Grid Security Operations in the investigation of Grid security incidents. A member should be suspended when the VO Manager is presented with reasonable evidence that the member’s grid identity has been used, with or without the user’s consent, in breach of relevant Grid and/or VO policies (security or otherwise). The request for suspension may be made by the Grid Security Officer and/or by Grid Operations. Requests from Sites should be routed through and confirmed by the Grid Security Officer and/or Grid Operations. In emergency situations this confirmation may be provided after the actual suspension if the VO Manager decides this is appropriate.
The VO should determine how it appoints and replaces its VO manager and deputies.


4.2 Membership Registration
*All reasonable efforts must be made by the VO Manager to contact the member when he/she is suspended. Prior to reinstating a suspended user the VO Manager must notify those who requested suspension. There should be an agreed dispute resolution procedures which the VO and/or Grid can follow if the user wishes to challenge his/her suspension.
Membership Registration is the process by which people first join the VO. An important objective of this process is to collect the user’s Registration Data. Accurate Registration Data must be maintained for all VO members. VO Managers must check the validity of the user Registration Data and check the user's eligibility for special authorisation (Groups/Roles).  
Replication of Personal user data and multiple validation and authentication should be avoided so that Grid users register only once with each VO and their Registration Data are checked only in a single place. The procedures must unambiguously assign the individuals who take responsibility for the validity of the Registration Data provided, and those with the authority to exercise control over the rights of the user to use Grid resources. This may include an Institute Representative, as defined above, and/or Site Managers.


4.3 Acceptable Use Policy
<br>
An important purpose of the registration process is to record the explicit acceptance by the user of the Grid AUP and the VO AUP as well as the acceptance, by the user, that part of his/her information including Personal user data may be made available to the Sites and Grid Operations.


4.4 Membership Renewal
=== Audit Requirements ===
The membership renewal process must include:
  *Confirmation, by the VO Manager, that continued membership of VO is still allowed,
*Confirmation or update of all data provided during registration and all special authorisations,
*Reaffirmed acceptance by the user of the Grid AUP and the VO AUP.


Membership of the VO must be renewed at least every 12 months. Additionally all members of the VO should renew following a major change to the Grid Acceptable Use Policy.
*The VO Membership Management system(s) must record and maintain an audit log of all VO membership transactions. This audit log must be kept for a minimum period consistent with the [https://documents.egi.eu/document/81 Traceability and Logging Policy].


4.5 Membership Removal
*Audit logs containing personal registration data must not be retained for longer than one year. The audit logs must include:
The following conditions should trigger a timely re-evaluation of the user’s right to remain a member of a given VO:
*User or IR request. Ideally, the user should be able to remove themselves from the VO without involvement of the VO Manager,
*Renewal failed to complete in allotted time,
*End of collaboration between the user’s institute and the VO, if applicable,
*End of collaboration between the user and the VO,
*End of collaboration between the user and his/her institute, if applicable.


Note that some VOs may not maintain relationships with institutes. The fact that the VO does not maintain relationships with institutes should be recorded on the VO Registration Information.
#every request for membership,
#every request for assignment of or change to VO authorisation attributes (groups, roles etc.),
#every membership renewal request,
#every membership suspension request,
#every membership removal.


4.6 Membership Suspension
*Each of these requests should record the date and time of the request, the originator of the request, the details of the request and whether or not it was approved or successful. The identity of the person granting or refusing the request should be recorded including any verification steps involved and other people consulted, e.g. IR.
The suspension of VO membership is the temporary removal of the user from the VO. The VO Manager must cooperate fully with Grid Security Operations in the investigation of Grid security incidents. A member should be suspended when the VO Manager is presented with reasonable evidence that the member’s grid identity has been used, with or without the user’s consent, in breach of relevant Grid and/or VO policies (security or otherwise). The request for suspension may be made by the Grid Security Officer and/or by Grid Operations. Requests from Sites should be routed through and confirmed by the Grid Security Officer and/or Grid Operations. In emergency situations this confirmation may be provided after the actual suspension if the VO Manager decides this is appropriate.
All reasonable efforts must be made by the VO Manager to contact the member when he/she is suspended. Prior to reinstating a suspended user the VO Manager must notify those who requested suspension. There should be an agreed dispute resolution procedures which the VO and/or Grid can follow if the user wishes to challenge his/her suspension.


4.7 Audit Requirements
<br>
The VO Membership Management system(s) must record and maintain an audit log of all VO membership transactions. This audit log must be kept for a minimum period consistent with the [https://documents.egi.eu/document/81 Traceability and Logging Policy]. Audit logs containing personal registration data must not be retained for longer than one year.
The audit logs must include:


  *every request for membership,
=== Data Privacy ===
*every request for assignment of or change to VO authorisation attributes (groups, roles etc.),
*every membership renewal request,
*every membership suspension request,
*every membership removal.


Each of these requests should record the date and time of the request, the originator of the request, the details of the request and whether or not it was approved or successful. The identity of the person granting or refusing the request should be recorded including any verification steps involved and other people consulted, e.g. IR.
*It is recommended that the VO should document its VO Membership data privacy policy. This should include statements on:


4.8 Data Privacy
#which data, if any, is collected from a VO member in addition to the Registration Data and explain why this data is required,
It is recommended that the VO should document its VO Membership data privacy policy. This should include statements on:
#how and where the data is stored,
#for how long the data is kept and how expired data is deleted,
#explain who within the VO has access to the data and why,
#how the user can view their own data and request corrections,
#what happens to the VO membership data when the VO ceases to exist,
#describe any third parties to whom VO membership data is disclosed and why. The VO may decide, for example, to grant read access to the data by Grid and Security Operations.


*which data, if any, is collected from a VO member in addition to the Registration Data and explain why this data is required,
<br>
*how and where the data is stored,
*for how long the data is kept and how expired data is deleted,
*explain who within the VO has access to the data and why,
*how the user can view their own data and request corrections,
*what happens to the VO membership data when the VO ceases to exist,
*describe any third parties to whom VO membership data is disclosed and why. The VO may decide, for example, to grant read access to the data by Grid and Security Operations.


== [https://documents.egi.eu/public/RetrieveFile?docid=80&version=7&filename=EGI-SPG-VOPortal-V1_0.pdf VO Portal Policy]==
= VO Acceptable Use Policy =


== Documentation ==
*<big>'''The VO Acceptable Use Policy (VO AUP)'''</big> is a statement which, by clearly describing the goals of the VO, defines the expected and acceptable usage of the Grid by the members of the VO. By requiring that all members of the VO who participate in the Grid agree to act within the constraints of the VO AUP, the VO Manager defines a community of responsible users with a common goal. This definition enables Site Managers to decide whether to allow VO members to use their resources.
* [https://wiki.egi.eu/wiki/PDT:Policies_and_Procedures EGI Policies and Procedures wiki page]
 
* [https://documents.egi.eu/document/71 EGI Security Policy Glossary of Terms]
*The <big>'''VO AUP'''</big> must:
 
#bind VO members to abide by the <big>'''[https://documents.egi.eu/document/74 Grid Acceptable Use Policy]'''</big>.
#state who gives authority to the Policy.
 
<br>
 
= Grid Acceptable Use Policy  =
 
The <big>'''[https://documents.egi.eu/document/74 Grid Acceptable Use Policy]'''</big> defines the conditions that any user wanting to take advantage of the grid infrastructure must accept. Those conditions are briefly summarized hereafter:
 
#You shall only use the Grid to perform work, or transmit or store data consistent with the stated goals, policies and conditions of use as defined by the body or bodies granting you access.
#You shall not use the Grid for any unlawful purpose and not (attempt to) breach or circumvent any Grid administrative or security controls.
#You shall respect intellectual property and confidentiality agreements.
#You shall protect your access credentials (e.g. private keys or passwords).
#You shall immediately report any known or suspected security breach or misuse of the Grid or access credentials to the incident reporting locations specified by the Grid and to the relevant credential issuing authorities.
#You must notify the Registrar of any changes to your Registration Information. Use of the Grid is at your own risk. There is no guarantee that the Grid will be available at any time or that it will suit any purpose.
#Logged information, including information provided by you for registration purposes, is used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed, via secured mechanisms, only for the same purposes and only as far as necessary to other organisations cooperating with the Grid. Although efforts are made to maintain confidentiality, no guarantees are given.
#The access-granting bodies and Resource Providers are entitled to regulate, suspend or terminate your access, within their domain of authority, and you shall immediately comply with their instructions.
#You are liable for the consequences of you violating any of these conditions of use.
 
<br>
 
= References  =
 
*<big>'''[http://www.egi.eu/about/policy/policies_procedures.html EGI Policies and Procedures wiki page]'''</big>
*<big>'''[https://documents.egi.eu/document/71 EGI Security Policy Glossary of Terms]'''</big>
 
[[Category:Operations Documentation]]

Latest revision as of 19:03, 3 December 2012

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Introduction

This wiki page intends to clarify the different policies of which a VO Administrator must be aware while setting up and operating a VO integrated in the EGI.

  1. VO managers should read the VO Operations Policy to understand their duties
  2. VO managers should read and be aware of the Grid Policy on the Handling of User-Level Job Accounting Data
  3. VO managers should follow the VO Registration Procedure while registering the VO in the EGI Operations Portal to make sure that the VO Registration Security Policy is fulfilled.
  4. VO Managers should deploy a VO membership service (like the gLite VOMS) fulfilling all the requirements defined in the VO Membership Management Policy.
  5. The VO Managers must define a VO Acceptable Use Policy (VO AUP) and ensure that only individuals who have agreed to abide by the Grid Acceptable Use Policy (Grid AUP) and the VO AUP, and have legitimate rights to membership, may be registered as members of the VO.


Overview

The following picture provides a snapshot of the established policies hierarchy giving emphasis to what is important to have in mind from a VO perspective.


Policies Workflow.png


  1. The Grid Security Policy defines the different roles existing under a grid environment. Among those, there are the VO Management and the VO Users.
  2. VO Managers, before starting operating, should be aware of all their duties described under the VO Operations Policy.
  3. Among the most important duties, VO Managers should follow the EGI VO registration procedure to register the VO in the EGI Operation Portal and the EGI central repository. That procedure ensures that the necessary and mandatory information is provided, in coherence with the definitions imposed by the VO Registration Security Policy.
  4. The VO Managers must define a VO Acceptable Use Policy (VO AUP) and ensure that only individuals who have agreed to abide by the Grid Acceptable Use Policy (Grid AUP) and the VO AUP, and have legitimate rights to membership, are registered as members of the VO.
  5. VO Managers should deploy a VO membership service provided in compliance with the VO Membership Management Policy. Examples of such services available in EGI is the gLite Virtual Organisation Management Services (gLite VOMS).

More detailed explanations regarding EGI policies and their dependencies relevant to VOs activities are presented in the following sections.


The Grid Security Policy

  • The Grid Security Policy is the general grid policy working as baseline from which all others derive. It defines the existing roles under a grid environment and introduces specific policies defining the responsabilities for each role.
  • The list of defined roles follows. This documentation will focus on the defined policies proposed for the Users and Virtual Organisation Management roles which are the ones involved directly in VO activities.
  1. Grid Management
  2. Grid Security Officer and Grid Security Operations
  3. Virtual Organisation Management
  4. Users
  5. Site Management
  6. Resource Administrators


Virtual Organisation Managers duties


Users duties

  • Users must be members of one of the registered VOs or application communities. The responsibilities of users include:
  1. Accept and agree to abide by the Grid Acceptable User Policy and the VO Acceptable User Policy when they register or renew their VO registration.
  2. Be aware that their work may utilise shared resources and may therefore affect the work of others. They must show responsibility, consideration and respect towards other users in the demands they place on the Grid.
  3. Have a suitable authentication credential issued as approved by the Grid. They must ensure that others cannot use their credentials to masquerade as them or usurp their access rights.
  4. Be held responsible for all actions taken using their credentials, whether carried out personally or not. No intentional sharing of credentials for Grid purposes is permitted.
  5. Be aware that their jobs will often use resources owned by others. They must observe any restrictions on access to resources that they encounter and must not attempt to circumvent such restrictions.
  6. Write and use application software directed exclusively to the legitimate purposes of their VO. Such software must respect the autonomy and privacy of the host sites on whose resources it may run.


VO Operations Policy

  • The Virtual Organisation Management bodies are required to abide by the VO Operations Policy. Among a set of expressed duties, new important policies are introduced specially to what regards VO registrations in the grid infrastructure and VO membership management:
  1. The Virtual Organisation Management bodies shall provide and maintain, in a central repository provided by the Grid (EGI Operations Portal), accurate contact information as specified in the VO Registration Security Policy. These contacts satisfy the communication requirements for management decisions, security actions and operational issues relating to VO membership and Grid usage, as well as your software and services. The contacts shall respond to enquiries in a timely fashion as defined in the Grid operational procedures giving priority to security problems. The steps to register a VO in the EGI Operations Portal are explained in detail in the EGI VO Registration Procedure.
  2. The Virtual Organisation Management responsibles shall ensure that a VO membership service is provided in compliance with the VO Membership Management Policy. This shall include the appropriate interfaces and configuration details to allow the generation of authentication, authorization and other identity mapping data for the services running on the Sites. The Virtual Organisation Management responsibles shall take reasonable measures to ensure that the information recorded in the membership service is correct and up-to-date. Example of such service available in EGI infrastructure is the gLite Virtual Organisation Management Services (gLite VOMS).
  3. The Virtual Organisation Management bodies shall define a VO Acceptable Use Policy (VO AUP) and ensure that only individuals who have agreed to abide by the Grid Acceptable Use Policy (Grid AUP) and the VO AUP, and have legitimate rights to membership, may be registered as members of the VO.
  • Other VO Organisation duties Management include:
  1. Comply with the Grid security policies and any archival, accounting and logging requirements defined under the Grid Security Traceability and Logging Policy. VO Organisation Management shall periodically assess, at least once per year, your compliance with these policies and inform the Grid Security Officer of any violations encountered in the assessment, and correct such violations forthwith.
  2. VOs are responsible for promptly investigating reports of users failing to comply with the AUPs and for taking appropriate action to ensure compliance in the future.
  3. Ensure that the official VO software does not pose security threats, that access to your databases is secure and is sufficiently monitored, that your stored data are compliant with legal requirements, and that your VO services, including pilot job frameworks, are operated according to the applicable policy documents.
  4. Ensure that logged, archived and membership information is only used for administrative, operational, accounting, monitoring and security purposes. You shall ensure that due diligence is applied in maintaining the confidentiality of such information.
  5. Recognize that the Grid and the Sites may control your access to their resources for administrative, operational and security purposes.
  6. Ensure that any software used by you at a Site for its intended purposes, complies with applicable license conditions and you shall hold such Site free and harmless from any liability with respect thereto.
  7. Acknowledge that any software provided by the Grid is provided on an as-is basis only, and subject to its own license conditions. There is no guarantee that any service operated by the Grid is correct or sufficient for any particular purpose. The Grid, the Sites and other VOs are not liable for any loss or damage in connection with your participation in the Grid.
  8. Comply with the Grid incident response procedures and the Grid Incident Response Policy, and respond promptly to requests from Grid Security Operations. You shall inform users in cases where their access rights have changed.


Grid Policy on the Handling of User-Level Job Accounting Data

This document addresses the handling of accounting data resulting from the execution of jobs on the Grid. It does not cover any other forms of accounting or monitoring data.

The document is aimed at EU-based Grids and more specifically at:

  1. Site Managers to allow them to share user-level job accounting with the Grid, for the purposes described below.
  2. VO Resource Managers and the Grid Operations personnel who have access to the user-level accounting from more than one site.

VO Registration Security Policy

  1. VO name
  2. VO Acceptable Use Policy
  3. Contact details and certificates for the VO Manager and at least one deputy: Name, Employing Institute, VO Role (Manager or Alternate), Email address, Telephone number, X.509 certificate issued by a Certification Authority approved for use on the Grid
  4. A single email address of the security contact point to be used for reports of suspected identity compromises, misuse of resources or other security events related to the VO. Messages to this address should be handled confidentially and promptly.
  5. The name of the Site, Infrastructure or other body responsible for running the VO Membership service, together with the URL of one or more VO Membership Servers.
  • VO Managers should follow the EGI VO registration procedure to register the VO in the EGI Operation Portal, the EGI central repository. That procedure ensures that the necessary and mandatory information is provided, in coherence with the definitions imposed by the current policy.
  • The policy also determines that, if a VO wishes to leave the Grid or the Grid decides to remove the VO, the registration information must be kept by the Grid for a minimum period consistent with the Grid Traceability and Logging Policy. Personal registration information must not be retained for longer than one year.


VO Membership Management Policy

  • The VO Membership Management Policy defines the minimum requirements on VO Managers for managing the members of their VOs. It defines the data that must be supplied by the user, and the checks VO Managers must make to verify the eligibility of their members to join and to remain in the VO.
  • The gLite Virtual Organisation Management Services (gLite VOMS) is one of the services which fulfils all the requirements described in the VO Membership Management Policy, and depicted hereafter.


Requirements on data supplied by the user

  • The user, at registration time, must supply the following information Personal Data:
  1. Personal user data:
  2. Family Name,
  3. Given Name,
  4. Institute name, i.e. the user’s employing institute (this is required if the user's membership eligibility derives from his/her institutional affiliation)
  5. Contact Phone number (this is optional, but the VO Manager may need to contact the user promptly during investigation of security incidents)
  • The following Registration Data should be also provided / offered by the user:
  1. Personal user data,
  2. Email address,
  3. Distinguished Name (DN) extracted from a valid personal digital certificate issued by his/her Certification Authority (CA).


Membership Management Requirements

  • The VO must appoint a VO manager and at least one deputy who are responsible for implementing procedures meeting the requirements of this policy. These are important roles which carry operational responsibilities; non-responsiveness of the VO manager or deputies may lead to the suspension of the VO from the Grid.
  • The VO membership management procedures must ensure that:
  1. only individuals who have agreed to abide by the VO AUP are registered as members of the VO;
  2. accurate Registration Data is maintained for all VO members.
  • Membership of a VO is not necessarily restricted to real persons. Hosts, services and/or robots (unattended automated processes acting on behalf of the VO) may also be registered in the VO. In the case of these non-personal registrations, the Registration Data must include the personal details of the real person requesting registration and assuming ongoing responsibility for the entity.
  • The VO Manager must publish a description of the methods used to verify user data at registration time and periodically review users' affiliation.


Membership Registration

  • Membership Registration is the process by which people first join the VO. An important objective of this process is to collect the user’s Registration Data. Accurate Registration Data must be maintained for all VO members. VO Managers must check the validity of the user Registration Data and check the user's eligibility for special authorisation (Groups/Roles). The following requirements should apply to the Membership Registration process:
  1. Replication of Personal user data and multiple validation and authentication should be avoided so that Grid users register only once with each VO and their Registration Data are checked only in a single place.
  2. The procedures must unambiguously assign the individuals who take responsibility for the validity of the Registration Data provided, and those with the authority to exercise control over the rights of the user to use Grid resources. This may include an Institute Representative, as defined above, and/or Site Managers.
  3. An important purpose of the registration process is to record the explicit acceptance by the user of the Grid AUP and the VO AUP as well as the acceptance, by the user, that part of his/her information including Personal user data may be made available to the Sites and Grid Operations.


Membership Renewal

  • The membership renewal process must include:
  1. Confirmation, by the VO Manager, that continued membership of VO is still allowed.
  2. Confirmation or update of all data provided during registration and all special authorisations.
  3. Reaffirmed acceptance by the user of the Grid AUP and the VO AUP.
  • Membership of the VO must be renewed at least every 12 months. Additionally all members of the VO should renew following a major change to the Grid Acceptable Use Policy.


Membership Removal

  • The following conditions should trigger a timely re-evaluation of the user’s right to remain a member of a given VO:
  1. User or IR request. Ideally, the user should be able to remove themselves from the VO without involvement of the VO Manager,
  2. Renewal failed to complete in allotted time,
  3. End of collaboration between the user’s institute and the VO, if applicable,
  4. End of collaboration between the user and the VO,
  5. End of collaboration between the user and his/her institute, if applicable.
  • Note that some VOs may not maintain relationships with institutes. The fact that the VO does not maintain relationships with institutes should be recorded on the VO Registration Information.


Membership Suspension

  • The suspension of VO membership is the temporary removal of the user from the VO.
  • The VO Manager must cooperate fully with Grid Security Operations in the investigation of Grid security incidents. A member should be suspended when the VO Manager is presented with reasonable evidence that the member’s grid identity has been used, with or without the user’s consent, in breach of relevant Grid and/or VO policies (security or otherwise). The request for suspension may be made by the Grid Security Officer and/or by Grid Operations. Requests from Sites should be routed through and confirmed by the Grid Security Officer and/or Grid Operations. In emergency situations this confirmation may be provided after the actual suspension if the VO Manager decides this is appropriate.
  • All reasonable efforts must be made by the VO Manager to contact the member when he/she is suspended. Prior to reinstating a suspended user the VO Manager must notify those who requested suspension. There should be an agreed dispute resolution procedures which the VO and/or Grid can follow if the user wishes to challenge his/her suspension.


Audit Requirements

  • The VO Membership Management system(s) must record and maintain an audit log of all VO membership transactions. This audit log must be kept for a minimum period consistent with the Traceability and Logging Policy.
  • Audit logs containing personal registration data must not be retained for longer than one year. The audit logs must include:
  1. every request for membership,
  2. every request for assignment of or change to VO authorisation attributes (groups, roles etc.),
  3. every membership renewal request,
  4. every membership suspension request,
  5. every membership removal.
  • Each of these requests should record the date and time of the request, the originator of the request, the details of the request and whether or not it was approved or successful. The identity of the person granting or refusing the request should be recorded including any verification steps involved and other people consulted, e.g. IR.


Data Privacy

  • It is recommended that the VO should document its VO Membership data privacy policy. This should include statements on:
  1. which data, if any, is collected from a VO member in addition to the Registration Data and explain why this data is required,
  2. how and where the data is stored,
  3. for how long the data is kept and how expired data is deleted,
  4. explain who within the VO has access to the data and why,
  5. how the user can view their own data and request corrections,
  6. what happens to the VO membership data when the VO ceases to exist,
  7. describe any third parties to whom VO membership data is disclosed and why. The VO may decide, for example, to grant read access to the data by Grid and Security Operations.


VO Acceptable Use Policy

  • The VO Acceptable Use Policy (VO AUP) is a statement which, by clearly describing the goals of the VO, defines the expected and acceptable usage of the Grid by the members of the VO. By requiring that all members of the VO who participate in the Grid agree to act within the constraints of the VO AUP, the VO Manager defines a community of responsible users with a common goal. This definition enables Site Managers to decide whether to allow VO members to use their resources.
  • The VO AUP must:
  1. bind VO members to abide by the Grid Acceptable Use Policy.
  2. state who gives authority to the Policy.


Grid Acceptable Use Policy

The Grid Acceptable Use Policy defines the conditions that any user wanting to take advantage of the grid infrastructure must accept. Those conditions are briefly summarized hereafter:

  1. You shall only use the Grid to perform work, or transmit or store data consistent with the stated goals, policies and conditions of use as defined by the body or bodies granting you access.
  2. You shall not use the Grid for any unlawful purpose and not (attempt to) breach or circumvent any Grid administrative or security controls.
  3. You shall respect intellectual property and confidentiality agreements.
  4. You shall protect your access credentials (e.g. private keys or passwords).
  5. You shall immediately report any known or suspected security breach or misuse of the Grid or access credentials to the incident reporting locations specified by the Grid and to the relevant credential issuing authorities.
  6. You must notify the Registrar of any changes to your Registration Information. Use of the Grid is at your own risk. There is no guarantee that the Grid will be available at any time or that it will suit any purpose.
  7. Logged information, including information provided by you for registration purposes, is used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed, via secured mechanisms, only for the same purposes and only as far as necessary to other organisations cooperating with the Grid. Although efforts are made to maintain confidentiality, no guarantees are given.
  8. The access-granting bodies and Resource Providers are entitled to regulate, suspend or terminate your access, within their domain of authority, and you shall immediately comply with their instructions.
  9. You are liable for the consequences of you violating any of these conditions of use.


References

Retrieved from "https://wiki.egi.eu/w/index.php?title=VO_Policies&oldid=46822"