resource entitlement management system
DESCRIPTION
Resource Entitlement Management System. Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science. Affaire Tournesol. Background. CSC is a non-profit state company ICT services for research groups & higher education institutes - PowerPoint PPT PresentationTRANSCRIPT
Resource Entitlement Management System
Manne MiettinenMikael LindenJanne LaurosCSC – IT Center for Science
Affaire Tournesol
Background
CSC is a non-profit state company– ICT services for research groups & higher education
institutes– Wide co-operation with universities and research
institutes (incl. Statistics Finland)
CSC has operated the Finnish academic identity federation, Haka, since 2005– Switzerland and Finland are the European pioneers in
federated identity
Identity federation
Polytechnic C
Research Institute B
University ALocal user accounts
Service 1
e.g. Library portal
Service 2
Learning management
system (LMS)
Local user accounts
Local user accounts
Haka – the federation of Finnish HE
Haka federation of the Finnish higher education
Service ProviderIdentity Provider(Home university)
National Library portal
Institutiona Library Management Systems
Learning Management System (Moodle etc)
ASP/SaaS services in university administration
U of Turku
U of Helsink
etc
UAS of Turk
U of Tamper
UAS of Hels
Identity Provider maintains the end user’s identities (identifiers, roles and other attributes)
Identity Provider authenticates an end user
Identity Provider release end user’s attributes to the service provider
Based on the attributes, the Service Provider decides what kind of services the user is authorised to use
IdP
IdP
IdP
IdP
IdP
IdP
CSC’s services to researchers (HPC, grids)
SP
SP
SP
SP
SP
Relying on the REMS access rights
Identity Provider
Service Provider
Identity Provider
Service Provider
REMS Attribute Provider
REMS IdP proxy
attributes attributes + entitlements
attributes
entitlements
(a) External attribute provider (b) IdP proxy
(c) Or a custom REMS integration
Identity Federations in Europe
Federated identity + workflow = REMS
Basic idea of REMS is to – replace paper based application process with an
automated tool– build on top of federated identity to avoid unnecessary
and error prone manual maintenance work of user information
Resource entitlement management system (REMS)
Access to research datasets
0. Fully public access1. Researcher has a role/group membership
– IdP managed/VO-managed
2. Researcher commits to datasets’ licence terms3. Researcher fills in and submits an application
- Dataset owner approves/rejects
Or any combination of 1, 2 and 3.
Principalinvestigator
Applicant
Research groupMembers of the application
The REMS concept
Metadata on dataset 1&2
Dataset 1
Dataset 2
DAC 1Approver
DAC 2Approver
REMS
Workflow
Reports
Entitlements
IdP
IdP
IdP
SP
1. Apply for access
4. Approve
5. Access
3. Circulate to approver
2. Commit to licence terms
CASE: Finnish Social Science Data Archive
Applying access rights to Nordic control DBR
esea
rch
grou
p m
embe
rs
Prin
cipa
l In
vest
igat
orD
AC
secr
etar
yD
ACO
pera
tor
Technical check of the application
Approval, rejection or request to amend of the application
Implement access rights for the
research group
Request amendments
Proposes approval or rejection
Yes
Infomrs how to access
Informs PIon decision
PI learns access has been granted/
denied
Implementation of DAC’s decision
Information on approval or rejection
Fill in or update an application and commit to the terms of use
Submit application
Submission Sanity check Decision Implementation
Research group members learn how to use the access rights
Access grant?
End
Informs Operator
No
Start
End
CASE: process for applying access to the Nordic Control Database
Benefits of REMS
Reduces throughput times of the application process Provides easier reporting/audit tools for owners of the resource and the applicant Increases information security also by relying on end users’ home institutions usernames/passwords and federated authentication
The REMS implementation
Created originally in the ELIXIR ESFRI project– Academy of Finland and Ministry of Education and
Culture via CSC) e.g. NOT EU FP7, EMBL etc.
ELIXIR Finland hosted at CSC offers REMS as a service for biomedical data hosting services in ELIXIRDiscipline-independentA Java portlet on Liferay, using Vaadin frameworkOpen source (LGPL)
Work-in-progress
DevelopmentUI improvements, vulnerability tests, documentation,
publish the code, bug fixes and feature requestsOperations
maintenance, support, helpdeskDeployment
new: FSD, TTA, LBRextend: EGA, biobanking
REMS DEMO
REMS = TAAS?
1. Accredited institution = Identity federation?
2. Requestor’s affiliation = Identity federeration (affiliation = ”faculty”)
3. Application must be approved = REMS
Links
REMShttps://remsdemo.csc.fi/http://www.csc.fi/remshttps://tnc2013.terena.org/core/presentation/18Identity federationhttp://www.edugain.org/technical/status.phphttps://refeds.org/