RBAC

1. RBAC Content: LHC Operational Mode Piquet Roles RBAC Strict LHC Operational mode and CMW Acknowledgements: Pierre C., Wojtek S., Stephen P., Lars J., Verena K., Mike L. R. Alemany LHC Beam Commissioning Meeting

2. LHC Operational Mode • What is the LHC Operational Mode? 16 bit word in which only 9 bits are used: IF BEAM MODE BIT = OPERATIONAL, SECTOR BITS ARE OVERRIDDEN The OPERATIONAL MODE doesn’t change often, it is associated to the ACCELERATOR MODE • Which ACCELERATOR MODES are considered OPERATIONAL and which are considered NON-OPERATIONAL: R. Alemany LHC Beam Commissioning Meeting

3. Equipment is accessible by: 1. Anywhere  Expert ROLES 2. Inside the LHC CCC  LHC Operator ROLE Equipment is accessible by: 1. Outside the LHC CCC  Piquet ROLES 2. Inside the LHC CCC  Expert & LHC Operator ROLES

4. What is a LHC Piquet Role? EIC on shift

5. LHC Piquet Roles • Issue 1: if the intervention is finished before the expiration time, the TOKEN associated to the ROLE is still active  be careful. • Issue 2: if one removes the user from the DB when the intervention is finished, the TOKEN associated to the ROLE is still active. • Currently the only way to be protected from this is to close the application that has been used to performed the intervention  More reliable solutions are being studied. NAME CONVENTION: XX-LHC-Piquet (e.g. BT-LHC-Piquet, PO-LHC-Piquet) No users in these roles except when needed R. Alemany LHC Beam Commissioning Meeting

6. Relationship between LHC Operational Mode and Roles: (Device access map example) If nothing indicated = ANYWHERE/ANYMODE R. Alemany LHC Beam Commissioning Meeting

7. When LHC Piquet Roles will be active? Here we should be flexible, machine is still under debugging

8. During Beam Commissioning: • Beam Commissioning WITH Safe Beam: • Beam Commissioning WITH UNSafe Beam: R. Alemany LHC Beam Commissioning Meeting

9. Switching to RBAC STRICT • What RBAC STRICT means? • You need a TOKEN which is provided by the client application • The token contains a ROLE with RULES: • To GET or MONITOR if there are no RULES defined then the command goes through, if there are RULES defined then they are taken into account. • To SETTHERE MUST BE RULES DEFINED, otherwise access is denied. Then the rules are taken into account to grant access to the equipment. R. Alemany LHC Beam Commissioning Meeting

10. Switching to RBAC STRICT • Preparation: FGC devices have been in STRICT since the end of Sep ‘08 • Preparation: dry runs March ‘09 STRICT mode for PO, BI, BT and RF • Preparation: June ’09 • Pierre meets the equipment experts to clean up the ROLES and RULES • Reyes makes sure all the CCC applications implement the RBAC integrator • Expert applications (Java, C++, LabVIEW, PVSS, ) going through CMW have to implement RBAC (via the integrator or custom way) • 16th June: dry run with HWC, QPS and CRYO to understand how the STRICT mode will affect them R. Alemany LHC Beam Commissioning Meeting

11. Switching to RBAC STRICT • Dry Run: 14-15th July ’09  the WHOLE LHC to STRICT. • If successful  from the 15th of July on we’ll work with RBAC STRICT R. Alemany LHC Beam Commissioning Meeting

12. How CMW gets the LHC OPERATIONAL MODE? LHC OPERATIONAL MODE LHC Sequencer LSA DB CMW Server OR TIMING TELEGRAM CMW CMW CMW CMW RBAC RBAC RBAC RBAC FESA FESA FESA FESA FE FE FE FE R. Alemany LHC Beam Commissioning Meeting