User:David kelsey/Temp VO Membership Management
From JSPGwiki
Draft policy document - not yet approved or adopted.
This is version 3.1 of this policy document (Mods by D Kelsey - 27 Aug 2008).
The currently approved and adopted policy document is called "Requirements for LCG User Registration and VO Membership Management" (version 2.7, dated 1 June 2004) and may be found at https://edms.cern.ch/document/428034/2
| Table of contents |
Introduction
This policy defines the minimum requirements for the management of the Virtual Organisation (VO) Membership. In this version the policy only considers the membership of the VO by users; hosts and services may be addressed in a future version. All registered VOs are required to implement procedures meeting these requirements.
Scope and Audience
This document is aimed primarily at VO managers. It defines the procedures which are required to be in place to manage the VO Membership. It does not address the security requirements for running the actual VO Membership service.
Definitions
Data supplied by the user:
- Personal user data:
- Family Name,
- Given Name,
- Institute name, i.e. the user’s employing institute,
- Contact Phone number.
- Registration Data: Authentication (AuthN) related information:
- Personal user data,
- Email address,
- DistinguishedName (DN) extracted from a valid personal digital certificate issued by his/her Certification Authority (CA).
Other relevant terms:
- VO Database: Authorisation (AuthZ) related information, i.e. the user's role(s) in the VO. His/her access rights to a resource and on data stored at it will depend on this information.
- VO manager: The responsible person recording in the VO Database, after appropriate checks, the status of a member of the VO, i.e. performing user entries, assignment of roles, information updates and user removals. The VO management function can be performed by a group of persons delegated by the VO manager.
- Institute Representative (IR): The person at the user’s employing institute, who can check the validity of his/her data and confirm the identity of the user and his/her right to become or remain a member of a VO.
Membership Management Procedures
The VO must design and implement procedures to manage the VO Membership and to record and maintain the membership data in the VO Database. The VO must appoint a VO manager and at least one deputy who are responsible for executing the various required procedures.
The VO must describe its implementation of the required procedures in a document to be submitted during the registration of the VO with the Grid. To facilitate the production of such a document, a template is provided in Appendix A.
Appointment of the VO manager
The VO must document how it appoints and replaces its VO manager and deputies.
Membership Registration
Membership Registration is the process by which people join the VO. An important objective of this process is to collect the user’s Registration Data. Accurate contact and identity information must be maintained for all VO members.
Duplication of Personal user data and the procedures of validation and authentication should be avoided so that Grid users register only once and their Registration data are checked only in a single place.
Robust documented verification procedures must be used to establish the link between a person, his/her Registration data and the associated authorisation attributes (groups and/or roles).
The procedures must unambiguously assign the individuals who take responsibility for the validity of the Registration data provided, and those with the authority to exercise control over the rights of the user to use Grid resources.
Acceptable Use Policy
An important purpose of the registration process is to record the explicit acceptance by the user of the Grid AUP and the VO AUP as well as the acceptance, by the user, that part of his/her information including Personal user data may be made available to the Sites and Grid Operations.
Membership Renewal
The membership renewal process must include:
- Confirmation that continued membership of VO is still allowed,
- A check as to whether any Registration Data has changed and the capture of the new data,
- Reaffirmed acceptance of the Grid AUP and the VO AUP.
Membership of the VO must be renewed every 12 months or more frequently.
Membership Removal
The following conditions should trigger a timely re-evaluation of the user’s right to remain a member of a given VO:
- User or user’s IR request. A mechanism prompting the VO manager to remove the user on request by the IR or the user should be provided.
- End of the user’s membership period in the VO. A way to record the “User Registration Date” and “User Participation-End Date” should be foreseen for auditing and accounting purposes. Provided the user’s contract with the institute is of a longer duration, an initial value, not exceeding one year, should be assigned to the “User Participation-End Date” at registration time. A mechanism prompting the user to re-register, before the “User Participation-End Date” is reached, should be provided.
- End of collaboration between the user’s institute and the VO.
- End of collaboration between the user and the VO.
- End of collaboration between the user and his/her institute. Documented procedures provided by each VO should explain how to timely reflect changes of user’s collaboration with the institute and/or the VO.
- Major change of the Grid Acceptable Use Policy. The AUP version number that was valid at registration time should appear on the user’s record. If they are subject to major changes, the user should be prompted to re-confirm his/her acceptance of the AUP.
Membership Suspension
The suspension of VO membership is the temporary removal of the user from the VO.
A member should be suspended when the VO manager is presented with reasonable evidence that the member’s grid identity has been used, with or without the user’s consent, in breach of relevant Grid security policies.
The VO manager must cooperate fully with Grid Security Operations in the investigation of Grid security incidents. A security incident may result in the need to suspend one or more users' membership of the VO.
The request for suspension may be made by the Grid Security Officer and/or by Grid Operations. Requests from Sites should be routed through and confirmed by the Grid Security Officer and/or Grid Operations. In emergency situations this confirmation may be provided after the actual suspension if the VO manager decides this is appropriate.
All reasonable efforts must be made by the VO manager to contact the member when he/she is suspended.
Prior to reinstating a suspended user the VO manager must notify those who requested suspension.
Audit requirements
The VO must record and maintain an audit log of all VO membership transactions.
The audit logs must include:
- every request for membership
- every request for assignment of or change to VO authorisation attributes (groups, roles etc.),
- every membership renewal request,
- every membership suspension request,
- every membership removal
Each of these requests should record the date and time of the request, the originator of the request, the details of the request and whether or not it was approved or successful. The identity of the person granting or refusing the request should be recorded including any verification steps involved and other people consulted, e.g. IR
Data handling
The VO must document its VO Membership data handling policy. This should include statements on:
- which data, if any, is collected from a VO member in addition to the Registration Data and explain why this data is required,
- how and where the data is stored,
- for how long the data is kept and how expired data is deleted,
- explain who within the VO has access to the data and why,
- describe any third parties to whom VO membership data is disclosed and why.
VO manager’s responsibilities
Whilst the operation and maintenance of the VO Membersip services may be delegated to an operations infrastructure, the VO manager, on behalf of the VO, is held responsible for the content of the VO Database and for the execution of the required procedures. The detailed duties and responsibilities of the VO manager include:
- Management of the Registration Data verification process by using existing reliable sources of information, consulting the relevant IRs or by means of other appropriate auditable procedures.
- Addition of the new user to the VO Database, after successful completion of step 1 or notification to the user with the reasons of his/her denial.
- Logging information including the date when the user registered (User Registration Date). Each request received and the checks made to validate the request should be recorded, for auditing purposes. Audit logs should be kept by the VO manager for two years, even if the member has left the VO. Initial registration audit kept until at least two years after they leave.
- Timely maintenance of the user’s entry when changes are required.
- Removal or suspension of a user from the VO database as per conditions listed above.
- Provision of secure read access to the Registration Data for authorised use only.
- Ensuring Personal user data is not distributed except for authorised and necessary purposes. The VO Manager must ensure that the VO membership is aware of the circumstances under which their Registration Data will be distributed.
- Respond to sites requests for information.
Appendix A: Template of VO Membership Management Procedures document
To be provided. This should describe the VOs implementation of the required procedures and the workflows involved.
As an example, see http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=753
