180 likes | 321 Views
Resource Entitlement Management System. Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science. Affaire Tournesol. Background. CSC is a non-profit state company ICT services for research groups & higher education institutes
E N D
ResourceEntitlement Management System Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science
Background • CSC is a non-profit state company • ICT services for research groups & higher education institutes • Wide co-operation with universities and research institutes (incl. Statistics Finland) • CSC has operated the Finnish academic identity federation, Haka, since 2005 • Switzerland and Finland are the European pioneers in federated identity
Service 1 e.g. Library portal Learning management system (LMS) Service 2 Identity federation Local user accounts University A Research Institute B Local user accounts Local user accounts Polytechnic C
Haka – the federation of Finnish HE Haka federation of the Finnish higher education • Identity Provider maintains the end user’s identities (identifiers, roles and other attributes) • Identity Provider authenticates an end user • Identity Provider release end user’s attributes to the service provider • Based on the attributes, the Service Provider decides what kind of services the user is authorised to use Identity Provider (Home university) Service Provider U of Turku National Library portal IdP SP Institutiona Library Management Systems U of Helsink IdP SP Learning Management System (Moodle etc) U of Tamper IdP SP ASP/SaaS services in university administration UAS of Turk IdP SP CSC’s services to researchers (HPC, grids) UAS of Hels IdP SP etc IdP
Relying on the REMS access rights attributes Identity Provider Service Provider IdentityProvider Service Provider attributes + entitlements entitlements attributes REMS Attribute Provider REMS IdP proxy (a) External attribute provider (b) IdP proxy (c) Or a custom REMS integration
Federated identity + workflow = REMS • Basic idea of REMS is to • replace paper based application process with an automated tool • build on top of federated identity to avoid unnecessary and error prone manual maintenance work of user information
Access to research datasets 0. Fullypublicaccess 1. Researcherhas a role/groupmembership • IdPmanaged/VO-managed 2. Researchercommits to datasets’ licenceterms 3. Researcherfills in and submits an application - Datasetownerapproves/rejects Oranycombination of 1, 2 and 3. Resourceentitlement management system (REMS)
The REMS concept 3. Circulate to approver 1. Apply for access DAC 1Approver IdP PrincipalinvestigatorApplicant 4. Approve Dataset 1 SP REMS IdP DAC 2Approver Workflow 2. Commit to licence terms Research groupMembers of the application Dataset 2 Reports Metadata on dataset 1&2 Entitlements IdP 5. Access
CASE: process for applying access to the Nordic Control Database
Benefits of REMS • Reduces throughput times of the application process • Provides easier reporting/audit tools for owners of the resource and the applicant • Increases information security also by relying on end users’ home institutions usernames/passwords and federated authentication
The REMS implementation • Created originally in the ELIXIR ESFRI project • Academy of Finland and Ministry of Education and Culture via CSC) e.g. NOT EU FP7, EMBL etc. • ELIXIR Finland hosted at CSC offers REMS as a service for biomedical data hosting services in ELIXIR • Discipline-independent • A Java portlet on Liferay, using Vaadin framework • Open source (LGPL)
Work-in-progress Development • UI improvements, vulnerabilitytests, documentation, publish the code, bugfixes and feature requests Operations • maintenance, support, helpdesk Deployment • new: FSD, TTA, LBR • extend: EGA, biobanking
REMS = TAAS? • Accredited institution = Identity federation? • Requestor’s affiliation = Identity federeration (affiliation = ”faculty”) • Application must be approved = REMS
Links • REMS • https://remsdemo.csc.fi/ • http://www.csc.fi/rems • https://tnc2013.terena.org/core/presentation/18 • Identity federation • http://www.edugain.org/technical/status.php • https://refeds.org/