OSG VO Member Registration Policy and Procedure

Open Science Grid

Document Name / OSG VO Registration Policy and Procedure
Number and Version / OSG DocDB Document 737v2
Date last updated / April 14, 2008

Abstract:

This document describes the member registration policy and procedure for the OSG VO.

Change History

V1.6 / 2008/01/29 / Chris Green / First public version uploaded to DocDB
V2.0 / 2008/04/14 / Chris Green / Formatted to match template DocDB #753v1, combining material from 737v1 and 597v1

1Scope

This document describes the OSG membership life-cycle procedures. These procedures are invoked to validate, approve or deny, and renew the membership application of an individual who wishes to join the OSG-VO.

2Definitions

Applicant – The person who is requesting to register as a member of the OSG VO.

Member – An Applicant becomes a Member after his or her membership of the VO is approved by a VOAdmin.

Representative – A person identified by the OSG VO management such that this person queries on and determines the appropriateness of a registration request. The representative finds out how an applicant is related to the intents and actions of OSG VO.

VOMRS: A membership management tool that can handle the procedures described here.

VOAdmin – A person so identified in the VOMRS is responsible for managing the membership data captured in the VOMRS. Typically a VOAdmin approves Applicant membership, terminates membership, assigns Roles and Groups, and perform other related functions.

Group – A defined term in VOMRS which is used to group together a set of people with similar work goals or organizational affiliation. Groups are often referred to as sub-VOs.

Role – A defined term in VOMRS which is used to define other distinguishing attributes (e.g. Production) that may be applied to the user’s VO attributes (also known as FQAN); this term may grant different privileges to a user than other members of the same VO and/or group who are assigned to a different Role).

AUP – Acceptable Use Policy.

3User Registration Workflow

3.1Registration

Notes:

A person may make themselves known as an Applicant by one of three methods:

  1. Personal contact to an OSG VO Representative or VOAdmin;
  2. Referral via an existing member of the OSG Consortium or of the OSG VO;
  3. Direct application using the OSG VO’s VOMRS server.

A Representative may wish to carry out steps 2-4 prior to step 1 in the case that first contact is via methods (b) or (c).

Steps:

  1. An Applicant applies for membership in the OSG-VO by using the VOMRSserver located at this step requires the Applicant to have an X.509 certificate from one of the OSG-recognized Certificate Authorities. As part of the application process the user will select a Representative who will receive and process this application for membership. During this step, the Applicant can request group and role memberships, which are necessary for his/her work; the approval of these requests lies with the Representative. When the Applicant is unsure of which roles and groups to request, the selection and approval of the appropriate groups and roles are done by the Representative. The VOMRSapplication procedure requires that the Applicant signs that he or she has read and agrees to the Grid AUP (DocDB #86) and the OSG VO AUP (DocDB #742).
  2. The Representative receives an email from the VOMRS that notifies the Representative that an application for membership has been received. At this point the Representative is responsible for verifying that the Applicant has an appropriate reason to use the OSG-VO. There are several checks to be made including (but not limited to):
  1. Verify that the Applicant has a trust relationship with an OSG Consortium member; this is typically done by “tracing up” the management chain of the Applicant until a member of the OSG-ET, OSG-ETB, or Consortium is identified. At that point an email check is made to verify that the Applicant should be allowed to use the OSG-VO.
  2. The Applicant is queried on their intended use of the OSG-VO to insure that the planned use is consistent with the currently defined policies of the OSG-VO. An attempt is made to ascertain whether the planned use properly belongs in some other defined VO (for instance Engage); if so, the applicant should be re-directed to that VO for membership.
  3. Past membership of this or any other VO and conduct while a member of same may be researched and taken into account.
  1. If the Representative determines that the Applicant should not be approved to receive membership in the OSG-VO, then the Representative will notify the Applicant of that outcome and this procedure will terminate.
  2. The Representative determines the appropriate Role and Group within the OSG-VO for this Applicant. This is done by understanding the intended use of the OSG-VO and making an appropriate determination. Upon completion, the Representative notifies the VOAdmin to approve the Applicant.
  3. The VOAdmin will proceed to approve the Applicant, via the appropriate actions and entries into VOMRS, and thus approve the membership in the OSG-VO; this process will include assignment or approval of the Group and Role designations. All memberships shall be enabled for a period not to exceed one calendar year from the application date.

3.2Removal: termination of membership

During a membership period, a Representative may observe the activity of VO members, whose membership are approved by him- or herself. If the Representative believes that the members are not active in using their membership privileges, the Representative may inform them and /or terminate their memberships via the appropriate operation in VOMRS.

When aMember’s membership is terminated due to either expiration or lack of activity, he or she may still apply for a new membership. He or she must follow the registration procedure described in section 3.1 from the beginning.

If a Member’s membership is terminated due to violation of any agreement to which the Member is a party any future application shall be viewed with the appropriate level of skepticism.

3.3Suspension

A Member’s membership may be suspended automatically by the VOMRS system for a number of reasons, including but not limited to: certificate expiration or revocation; institute affiliation expiration; CA expiration or revocation; and AUP signing expiration. When this occurs the user will be notified by the system and may be offered the chance to rectify the situation without having to contact the Representativeexplicitly.

During a membership period, a Representative may observe the activity of VO members, whose membership are approved by him- or herself. If the Representative believes or is otherwise informed that the member’s activities violate any agreement between the Member and the VO then the Member’s membership may be suspended pending further investigation and possible action.

3.4Renewal

When the membership period approaches its expiration date, the VOMRS sends automated notification to the Representativewho was involved with the original membership application. If the Representative believes that the reasons which led to the original membership are still valid, the Representative notifies the member and renews the membership. To renew the membership, the Representative extends the expiration date of the membership one more year. If the Representative believes that the reasons for membership no longer hold, the Representative informs the applicant and terminates the membership on the expiration date. If renewal is appropriate, thememberwill be required to re-sign the grid and OSG VO AUPs. Members may be required on occasion to sign new versions of the grid and / or OSG VO AUPs; if this does not occur within a reasonable grace period suspension may follow.

3.5Change of Membership Status: Rights and Privileges

Assignment of particular rights and privileges of VO membership (including VOAdminor Representative status, membership of various subgroups, roles or other attributes) is in general done by negotiation between the member and relevant other VO members, such as experimental representatives, the user’s Representativeor VOAdmin. This process is facilitated byVOMRS: the membermay request a change by selecting the appropriate privileges and waiting for approval by the Representativeor aVOAdmin; or the Representativeor aVOAdminmay make the change in VOMRSdirectly.

4Communication with Members

Communication with Members shall be by email in general, using contact details provided by the user and stored in VOMRSor elsewhere with other means (eg fax) to be used as appropriate. This communication may be manual (for instance initiated by a Representative or the Member) or be automatic, originating fromVOMRS. Any change in status of the Member with respect to the VO shall be communicated to him or her before said change of status if possible; or in the alternative as soon as possible thereafter.

5Treatment of User Data

Most user data is stored in the VOMRSsystem. Other documents or emails, such as correspondence taking place as part of step 2 of the registration process; or correspondence concerning the user’s conduct under the auspices of the VO, may be stored in other places.They will in all cases be kept confidential subject to the provisos of section 6 below. Also, accounting data concerning the Member’s use of the OSG may be stored at the sites upon which they have run; or as part of the OSG’s central accounting effort.

6Disclosure of Registration Data to Third Parties

Registration or other data concerning the Applicantor Member will be shared with third parties external to the VO only as necessary to ensure the smooth running of VOs operations or the OSG at large. This may include but is not limited to: authorized OSG officers or other staff as necessary; the OSG accounting service. In addition: certain data provided by theApplicantor Member may be shared with third parties for the purposes of verification, such as that required by step 2 of the registration process.

1