Skip to content

Definition of Service Specific Roles via AAI: DataHub

For Helmholtz DataHub, the following role definitions are being implemented within Helmholtz AAI, as Modifications of “Variant 1”:

Variant 1a: Group-based User Role, for Specific Service

To define a specific role of a user within a VO based group, specifically for a service:

  • The service provider defines a naming scheme for a specific sub-group, following the convention
    • <provider name>-<service name>-<role name>.
    • For example: <gfz-sms-admin>, <gfz-sms-member>.
    • The definition shall be documented here for the specific service.
    • Service provider is responsible to inform the VO/group managers of all allowed VOs/groups on this definition and its consequences.
  • VO administrator or VO subgroup manager creates a Sub-VO (group) within her specific group (VO), following this naming scheme.
  • VO administrator or VO subgroup manager is responsible to define the members of these groups, according to VO membership policies.
  • Service checks for respective subgroup memberships by checking for respective group claim.

Variant 1b: Group-based User Role, use internal group management structures via Helmholtz AAI:

To define a specific role of a user, specified in the internal (institute) group structures (and internal groups are enabled to be released for external purposes to Helmholtz AAI), specifically for a service:

  • The service provider defines a name scheme for such groups: <group name>.<provider name>-<service name>-<role name>
    • with <group name> identifying the organizational unit, e.g., structure/group/topic/section
    • and <provider name>-<service name>-<role name> as in variant 1 showing the provider and name of the service and also the corresponding role name
  • As this group is handed via home IdP to Helmholtz AAI and via Helmholtz AAI to the service it has the following form: <prefix>:<namespace>:<group_scheme>#authority
  • For example: urn:geant:helmholtz.de:gfz:group:department5.gfz-sms-member#idp.gfz-potsdam.de
    • with the prefix defined by Helmholtz AAI and a registration for the namespace to ensure unique group names. Therefore, the prefix + namespace urn:geant:helmholtz.de:gfz:group will only be used for internal GFZ groups. This also guarantees that groups with the same name from different institutions are separate groups.
    • The authority #idp.gfz-potsdam.de due to Helmholtz AAI/AARC convention.
    • These group memberships are released as values for eduPersonEntitlement by the IdP of the home organization of a user
    • Creation and management of groups is organized according to the internal infrastructure of the home institution
    • Service checks for respective group name and institution to identify the groups and respectively the roles of its members

Variant 1c: Group-based User Role, for Multiple Services with a Shared Context

To define a specific role of a user that holds for multiple services with a shared context.

  • Naming convention is shared for different service providers that agreed to it but do not have to use it exclusively.
    • Different services of the DataHub project share the same members: <datahub-default-member> according to naming convention
      • datahub: shared context as provider name/hosted in the DataHub context
      • default: general service name as several services are addressed at the same time (individual management still possible next to „shared“ management option)
      • member: role name – shared groups only make sense where the user groups are identical for different services. This holds in general only for members getting access to different services for a topic but does not hold for admins or other specific roles.
    • needs to be documented and shared with the VO/group managers of all allowed VOs/groups on this definition and its consequences
  • Possible to use for VO based group management and internal group management; the latter with members within institution only
  • All engaged services check for respective group name (VO)/ group name + institution to identify the groups and respectively the roles of its members.