Definition of Service Specific Roles via AAI: DataHub¶

For Helmholtz DataHub, the following role definitions are being implemented within Helmholtz AAI, as Modifications of “Variant 1”:

Variant 1a: Group-based User Role, for Specific Service¶

To define a specific role of a user within a VO based group, specifically for a service:

The service provider defines a naming scheme for a specific sub-group, following the convention
- <provider name>-<service name>-<role name>.
- For example: <gfz-sms-admin>, <gfz-sms-member>.
- The definition shall be documented here for the specific service.
- Service provider is responsible to inform the VO/group managers of all allowed VOs/groups on this definition and its consequences.
VO administrator or VO subgroup manager creates a Sub-VO (group) within her specific group (VO), following this naming scheme.
VO administrator or VO subgroup manager is responsible to define the members of these groups, according to VO membership policies.
Service checks for respective subgroup memberships by checking for respective group claim.

Variant 1b: Group-based User Role, use internal group management structures via Helmholtz AAI:¶

To define a specific role of a user, specified in the internal (institute) group structures (and internal groups are enabled to be released for external purposes to Helmholtz AAI), specifically for a service:

The service provider defines a name scheme for such groups: <group name>.<provider name>-<service name>-<role name>
- with <group name> identifying the organizational unit, e.g., structure/group/topic/section
- and <provider name>-<service name>-<role name> as in variant 1 showing the provider and name of the service and also the corresponding role name
As this group is handed via home IdP to Helmholtz AAI and via Helmholtz AAI to the service it has the following form: <prefix>:<namespace>:<group_scheme>#authority
For example: urn:geant:helmholtz.de:gfz:group:department5.gfz-sms-member#idp.gfz-potsdam.de
- with the prefix defined by Helmholtz AAI and a registration for the namespace to ensure unique group names. Therefore, the prefix + namespace urn:geant:helmholtz.de:gfz:group will only be used for internal GFZ groups. This also guarantees that groups with the same name from different institutions are separate groups.
- The authority #idp.gfz-potsdam.de due to Helmholtz AAI/AARC convention.
- These group memberships are released as values for eduPersonEntitlement by the IdP of the home organization of a user
- Creation and management of groups is organized according to the internal infrastructure of the home institution
- Service checks for respective group name and institution to identify the groups and respectively the roles of its members

Variant 1c: Group-based User Role, for Multiple Services with a Shared Context¶

To define a specific role of a user that holds for multiple services with a shared context.

Naming convention is shared for different service providers that agreed to it but do not have to use it exclusively.
- Different services of the DataHub project share the same members: <datahub-default-member> according to naming convention
  - datahub: shared context as provider name/hosted in the DataHub context
  - default: general service name as several services are addressed at the same time (individual management still possible next to „shared“ management option)
  - member: role name – shared groups only make sense where the user groups are identical for different services. This holds in general only for members getting access to different services for a topic but does not hold for admins or other specific roles.
- needs to be documented and shared with the VO/group managers of all allowed VOs/groups on this definition and its consequences
Possible to use for VO based group management and internal group management; the latter with members within institution only
All engaged services check for respective group name (VO)/ group name + institution to identify the groups and respectively the roles of its members.