Guidelines for VO administrators#

Virtual Organisations are the key element of the authorisation in Helmholtz AAI.


To open up a new VO, please fill out the VO Creation form with your email address. Fill it out and send it to the HIFIS Management Mailinglist. Please use a digital signature to sign your email.

Once you have your VO, you can convince services to support your VO.

You need to be able to authenticate with the assurance of RAF Cappuccino, i.e. you need to identify with your passport at your Identity Provider.


As an administrator of a Virtual Organisation you take a substantial share of responsibilities for a working process. The requirements come from the Services. Many services have requirements on the quality of the user identity assurance and on the general quality of the identity provider.

Depending on the service (in this case those allow shell access or data storage) this often requires the users to have shown a passport at their home-IdP and also require the home-IdP to support certain security procedures.

International Users#

In Helmholtz AAI we want to enable users for which those criteria often aren’t met. Therefore, we offer the possibility to add all kinds of users to a VO, but we require the VO admin to guarantee that an appropriate level of identity vetting has taken place.


As defined in the top level policy, VO admins have several tasks to fulfil:

In most cases, a PP is not necessary if the VO is managed at unity and you do not additionally process any personal data.


You can manage your VO under the /upman endpoint of unity. It allows you to invite users by email.