Definition of Service Specific Roles via AAI: DataHub¶
For Helmholtz DataHub, the following role definitions are being implemented within Helmholtz AAI, as Modifications of “Variant 1”:
Variant 1a: Group-based User Role, for Specific Service¶
To define a specific role of a user within a VO based group, specifically for a service:
- The service provider defines a naming scheme for a specific sub-group, following the convention
<provider name>-<service name>-<role name>
.- For example:
<gfz-sms-admin>
,<gfz-sms-member>
. - The definition shall be documented here for the specific service.
- Service provider is responsible to inform the VO/group managers of all allowed VOs/groups on this definition and its consequences.
- VO administrator or VO subgroup manager creates a Sub-VO (group) within her specific group (VO), following this naming scheme.
- VO administrator or VO subgroup manager is responsible to define the members of these groups, according to VO membership policies.
- Service checks for respective subgroup memberships by checking for respective group claim.
Variant 1b: Group-based User Role, use internal group management structures via Helmholtz AAI:¶
To define a specific role of a user, specified in the internal (institute) group structures (and internal groups are enabled to be released for external purposes to Helmholtz AAI), specifically for a service:
- The service provider defines a name scheme for such groups:
<group name>.<provider name>-<service name>-<role name>
- with
<group name>
identifying the organizational unit, e.g., structure/group/topic/section - and
<provider name>-<service name>-<role name>
as in variant 1 showing the provider and name of the service and also the corresponding role name
- with
- As this group is handed via home IdP to Helmholtz AAI and via Helmholtz AAI to the service it has the following form:
<prefix>:<namespace>:<group_scheme>#authority
- For example:
urn:geant:helmholtz.de:gfz:group:department5.gfz-sms-member#idp.gfz-potsdam.de
- with the prefix defined by Helmholtz AAI and a registration for the namespace to ensure unique group names. Therefore, the prefix + namespace
urn:geant:helmholtz.de:gfz:group
will only be used for internal GFZ groups. This also guarantees that groups with the same name from different institutions are separate groups. - The authority
#idp.gfz-potsdam.de
due to Helmholtz AAI/AARC convention. - These group memberships are released as values for
eduPersonEntitlement
by the IdP of the home organization of a user - Creation and management of groups is organized according to the internal infrastructure of the home institution
- Service checks for respective group name and institution to identify the groups and respectively the roles of its members
- with the prefix defined by Helmholtz AAI and a registration for the namespace to ensure unique group names. Therefore, the prefix + namespace
Variant 1c: Group-based User Role, for Multiple Services with a Shared Context¶
To define a specific role of a user that holds for multiple services with a shared context.
- Naming convention is shared for different service providers that agreed to it but do not have to use it exclusively.
- Different services of the DataHub project share the same members:
<datahub-default-member>
according to naming convention- datahub: shared context as provider name/hosted in the DataHub context
- default: general service name as several services are addressed at the same time (individual management still possible next to „shared“ management option)
- member: role name – shared groups only make sense where the user groups are identical for different services. This holds in general only for members getting access to different services for a topic but does not hold for admins or other specific roles.
- needs to be documented and shared with the VO/group managers of all allowed VOs/groups on this definition and its consequences
- Different services of the DataHub project share the same members:
- Possible to use for VO based group management and internal group management; the latter with members within institution only
- All engaged services check for respective group name (VO)/ group name + institution to identify the groups and respectively the roles of its members.
Last update:
August 2, 2022
Created: August 2, 2022
Created: August 2, 2022