Guidelines for VO administrators#
Virtual Organisations are the key element of the authorisation in Helmholtz AAI.
Once you have your VO, you can convince services to support your VO.
You need to be able to authenticate with the assurance of RAF Cappuccino, i.e. you need to identify with your passport at your Identity Provider.
As an administrator of a Virtual Organisation you take a substantial share of responsibilities for a working process. The requirements come from the Services. Many services have requirements on the quality of the user identity assurance and on the general quality of the identity provider.
Depending on the service (in this case those allow shell access or data storage) this often requires the users to have shown a passport at their home-IdP and also require the home-IdP to support certain security procedures.
In Helmholtz AAI we want to enable users for which those criteria often aren’t met. Therefore, we offer the possibility to add all kinds of users to a VO, but we require the VO admin to guarantee that an appropriate level of identity vetting has taken place.
As defined in the top level policy, VO admins have several tasks to fulfil:
Abide by the following policies:
If necessary, define AUP and PP policies for your VO by extending the following templates:
In most cases, a PP is not necessary if the VO is managed at unity and you do not additionally process any personal data.
You can manage your VO under the /upman endpoint of unity. It allows you to invite users by email.