Virtual Organisations (VOs)

Explanation on VOs

• VO are technical representations of (research) groups and are the key element of authorisation in the Helmholtz Cloud.
• Some services don’t need VOs, but most do, in order to control access granted to users and groups. See also our explanation of the AAI concepts.
• Don’t hesitate to ask us via our Helpdesk, should you have any further questions.

Examples

A VO can be a group of

• researchers, working on a funded project.
• people, working in the same institute/division.
• experts, working on a specific topic.

A VO is not group of people, which is allowed to use a singe, specific services, controlled by a service operator. If you (as a service operator) want to control, which person has access to your service, have a look at the Resource capabilities.

Technical Preconditions

You (as a VO admin) need to be able to authenticate with the assurance of RAF Cappuccino, i.e. you need to identify with your passport at your Identity Provider (IdP).

Since the VO administrator must be employees of a Helmholtz centre, the IdP, used for authentication must be operated by an Helmholtz centre.

Due to the privileges of being a VO admin, the accounts need to be secured. For this reason MFA must be performed at the login process. The MFA can be performed at the IdP, if the Identity Provider signals the usage of MFA, or at Helmholtz ID itself.

Responsibility

As an administrator of a Virtual Organisation you take a substantial share of responsibilities for a working process. The requirements come from the Services. Many services have requirements on the quality of the user identity assurance and on the general quality of the identity provider.

Depending on the service (in this case those allow shell access or data storage) this often requires the users to have shown a passport at their home-IdP and also require the home-IdP to support certain security procedures.

International Users

In Helmholtz ID we want to enable users for which those criteria often aren’t met. Therefore, we offer the possibility to add all kinds of users to a VO, but we require the VO admin to guarantee that an appropriate level of identity vetting has taken place.

Further information about Policies

As defined in the top level policy, VO administrators have several tasks to fulfil:

• Abide by the following policies:

  • Helmholtz AAI Top Level Policy
  • Membership Management Policy
  • Security Incident Response Procedure
  • Policy on the Processing of Personal Data

• If necessary, define AUP and PP policies for your VO by extending the following templates:

  • Acceptable Use Policy Template (AUP-Template) / PDF version
  • Privacy Policy Template (PP-Template) / PDF version

In most cases, a Privacy Policy is not necessary if the VO is managed at Helmholtz ID and you do not additionally process any personal data.

Need help?

Contact us if you need help.