Skip to Content.
Sympa Menu

comanage-users - [comanage-users] expressing service-specific roles in COUs

Subject: COmanage Users List

List archive

[comanage-users] expressing service-specific roles in COUs


Chronological Thread 
  • From: Bas Zoetekouw <>
  • To: <>
  • Subject: [comanage-users] expressing service-specific roles in COUs
  • Date: Fri, 12 Oct 2018 09:02:27 +0200
  • Autocrypt: ; keydata= xsFNBErxUDoBEADTVNLRX3eMWHCol+1g19G6hG6YNZcPRPee23PeP943fi8EST42IHd5KB1w fPIcVFEvP0R7KjjJYOeXdO7DfxuOkJSJabbKt2vycVyBCdbO59ZEi1Fmv1fYMf/2GvYy/t7+ dOsekeGmWlRZXEOsQ/M3xylZZlBiGbEsHZv9/b2UQNPM43HxBKYVaJPuUKoeDf5MhZZVyHOJ 49kJBtLXo68q8Z4JQWduIoSCWn3/VAndEbooELaTRaw2j06YR3sZv6fvBzOj65cVdWEQBbnQ AD4+8VTGspOLGTJPxRGE/ZQ7zYUMu5DRp57+kA89Bupkeg7O1KJ7KUVMTA9KYlXFzp/hZjWQ XYTsLjCprYfgneGaWcGMLL7Vw2m75cZxMP+qKYgJ3fqW9MFD9MKwDsyTDxSG5ue36OhndM/W xzX9iDNkrzPWRePm0bg3x9iGzbPsm8fOwJSm4QgQMe49v4bb5TD3IlBY5u/8o9y6ghOtF7bO hmkAwBzdSkUrV55rifABBoFr+X8HDTWjjk3yOGDJDItw/kDiip2uxSRlDA7JV9to8Rkm/gwy OrNMaFlscd4vZWfDRLcBNg4nDbn8GeDINCZLO8iOe+/aop6UKHQeSeEQq3oEgohyTDY21oyR mjdQOKtu0SLwBo3KR7tChnGQzPJc3gSSWRxi2Iu5XSjX6ba3GQARAQABzSFCYXMgWm9ldGVr b3V3IDxiYXNAem9ldGVrb3V3Lm5ldD7CwXoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQAC HgECF4AFAkrxULsCGQEACgkQ0YOlF7+pjeZikw//fwOe8y/cRfxbttvKWIVrC31X9nH4hOdi UkzKR+om8xZGfbhc6GbS+fBJoux/hp4h1V1IY8AkO1gLhzzI5v17wI7EJ8nbjj1cr+fG3FGi SmAJ7Xm/HlRkDZ0TDh3LixqECXd4QKB7M5B8K3MgO/FD9fWC7M63mLKUJEKR51/8XC2SSQMt pXfqQ0ynuYnulOifZkAX9UNJg0kkcCbT0Bv/LqsGN5qtoNxIkXAoBeAfnQ52KILWXPa4ZPN9 2OgE5s53jpKSC/cv98y3Zeu2JzXnYgUEuECNKkllk47k41Qcrhm0LoaXhtfzd1MOnsYLLNz2 P2OSC9KftOz5Mmj5DL9HEW8X21mc/fCcuH37mfvQp/zTxszBmPAC+Gq3flEOiM/LYCUlBPL6 R0o6dIqZrczCit3ivq6gvxoUsJt5VVBF9qPpbSfWlvhb4DVG4KnGPkPzog8LBz+jORPEQphe 4lCFprRs/6ec9BfVuvRqdXzOXN3tn0J7wMUIfe18FBq3ETn+kyn31VOWN2QYARwMzGl8LxXF qQAHSYtaMICadHBn3q4fvdj0u3SrMuf6qZ/JlTc722eRTSJ+yPkyRbB294BarKwyQVTL0m/W 1DfqYnNcp9QNdPgLqnF5nzSyDs0XKnOUwpEGMXUIESWwd++shdw139pdqs6dXid7q9Ikj14r b8POwU0ESvFQygEQANmu4gkOFaUwavY3Ci+PeDHkyy2h01LQfxEyymFIt93d3VcrEnCk1Js/ 2TvuE4W2biIUEJ2718pXtJMnqvxRIPG5DHea5rYIdASr3ntHPq5HRBHc3D5e+AAZ6hacwc/h dJQHC4rdZk/GdkdM0/79NtTRhhtDRWoQubPyvITwjOwalukFAb9+HdEKtwVATyhqV5SdS43j n0cYZCWEFV08wAsL+5kyUy7f0uuI9iT7Ti7VLUSMoTM1fiyVEeYd03+/Mw+4xnlMqu4L7ovq zXkjj4q5EzYVUwnkXL4SJBf/b6Mjvo6iymiCAahxOrITA2zNHr+Pj15yLF/bb6ggrwjcTo2c i9Ao+1cEaFp//Rc3ofldrE4ip/LmYk5NAlTtVgPRhVb1agGxeNL2hqJxmB1sJ1EffxzZw9JV /d1GybzaL/OMtRjXdswtqPLcVEVh9XLgIVaxZjWXRcUGLjC/ZtC1mx3rqVS0rYckq0ws7BEt Bl7pGlmJHAgbrNL6zs7DnqnM59n5UJg8fHCm/9I6YBxJ3hr0mZk4LVu9yuWBNuXcFw2RQXr7 VvEN8aD01OhQZJQat9x9YH6bZ1yxmKZ3w2OYyzabRIIJ5wgKUPHdbBK+QL/iGWu1m5TnwSWk UrkuCpBNVCSo3f1fOQ4ggycnRLiiimaY3Ag/284aDPeDzc5TPdsXABEBAAHCwV8EGAEIAAkF AkrxUMoCGwwACgkQ0YOlF7+pjeaArhAAzGa0eLD4BRsnSJx4/9wxxvT4aoQaEcmcIz+gOE26 yGli5WvphEJWtSmUZFOpUDSivZzDvvrDUVzFcdyI762/JBMvPw1vY1a8v/jMjE4hZljCAdTg X7oZ4x6/CSYML2n8jI6zn8mho4DU4b72Ga7QXQ/ot7+hnBVWXKtcVWDni2Y8+nUdHRfRi6k+ wrJP25+SUEGEOdA/9SP4poTd2vLqfXYxQ1VdqfcC2TSTpsgsFEh8OcKd855X3Tg/nvHpQirg SeyQrsFsegVhGECl2xTl0w0+E3CdqRV7XxbkDhbM9RA/PccZghiY4ZSQ4eVW/bZhYCgXf0h7 FMjNEdd9Ks87J7s/MZ4meMH1IlARHHeVR9775d/bGOVbjI1zB1Mk70gCLEP3k+tOOnaILTSq dG35wiX8VcvrD7DqGoLuwZStpTmxRFWQ4HJ+3q6yQuVTHri3aBGR8d3+esYP96Asb/01/Nuu Ntx3vvKk/ufqhXBlZwmcaRE0QJ8HHQveGPc/alzDEC9zG/vQfe0kgzkEavCYhW+sXPOjf0TY g5HpzQBJYNIJ7MEBZehcWtEM8URClqJbu7KrZXiPI03qbp+YXRsAOntMdBT0/MzjtAjbFU40 l33Q0XCVVS0kjwv38IC+vrc+8szF/l8V7w/bTtrd+Wzo+5VuO6n1Pzt9yfzHto8eWXw=
  • Ironport-phdr: 9a23:Y+KJaRKBd4V3UUm8vdmcpTZWNBhigK39O0sv0rFitYgeK/3xwZ3uMQTl6Ol3ixeRBMOHs60C07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwdFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhjkHOTAk82/ZhMJ/g61HrxyuvBF/343ZbZuJOPZicK7Qf9UXTndBUMZLUCxBB5uxYpYVAOoaIO1XrI79qEUSrRSgBgmsA/7vyzFVjXLxxqI1yf8hHRvH3QwnAd0OrGrbrNbyNKcPX+G417LIzSjZb/NY3zfy9pTIfgonofGIRL99d9fax0o3Fw7dk1mdpozoMymJ2ugXrmSX9fRsWOC3h2I5tw19viWjy8Ith4XUmo4Yz1DJ+Th2zYswONG1SlB3bNu6H5RNrC6VLY57Td48TGxquSs3z6cJtJy6cSQUzZko3RHSZOKZf4WO/xntTvyeIS1ii3JgYL+/hwi98UynyuDkUcm0zUpKojRHn9XVrH8N0gfT5tKCSvtz5EuhwiuP1xrd6u1eJ0A7i7bbJ4Ygwr42iJUTrVzOEjL5lUj2lqOaal8o9vWy5+j5YLjqvpqcOJV1igH6PKQugMu/AeEgPwcVRWeb4v6w1bzk/ULnXLVFkP42kq7EsJHUPskbvbO5AxVb0oYl9Rm/Ey2q0NIcnXUfNlJKZAqHj5T1O1HJOP33EfC/g1G2nzdt3f/GMaPuDozQLnjYjrjhZ6195lVYyAoy1tBf+4lUBq8bLPLyXE/xqMLXDgU/MwOq3+brFs9x2Z0DVmKSUeelN/aGuliN7+QmLOTJeZQYoi3VKv456uTogGNj31IRYP/684EQbSWSF+8uEUKUfXfvhcoeWTMAtxF4XuvnlFCBViNMT22vRaw66y19DobwXtSLfZyknLHUhHTzJZZRfG0TUl0=
  • Openpgp: preference=signencrypt
Hi everyone,

In our of our pilots a usecase has come up of which we're not sure what
the best way is to implement this in COmanage. We are hoping you might
have encountered similar usecases and I'd be very glad to hear your
thoughts.

We are implementing COmanage for a large research university; they want
to use COmanage to empower their researchers to manage their own team
(i.e., handle their own IdM-stuff). The university offers
compute-facilities to a number of research groups, and they would like
to use COmanage to manage authorizations for this service.

The general access is granted on a research group level, and as these
are mapped onto COUs in COmanage, this is easy to handle. However,
within a typical research group, a number of users are granted
additional privileges. For example, they are allowed to use specific
compute nodes, are allocated more storage, or are allowed to use
specific GPU resources.

We are struggling how to best express these additional
roles/authorizations in the COU. We can think of a number of options:

- use groups to express the roles; doesn't seem to map quite right, as
the groups are CO-wide and the roles are COU-specific. Will probably
also lead to namespace clashes between authorization groups of different
COUs.
- use the existing :admins or :owner roles in COU; doesn't seem quite
right as these give additional permissions in COmanage, and the people
who need these roles to manage the COUs in COmanage are typically not
the people who need access to the additional resources
- use COPersonRole Affiliation to express roles; that would require
extending the allowed values for Affiliations, which doesn't feel quite
right.
- use a sub-COU to express specific roles; this seems like a bit of
overkill, in particular because it would require defining specific
enrollment flows for the sub-COU.
- voPersonAffiliation might be a solution, but that is currently still
only a proposal.

Please let me know what you think.. I am particularly interested in the
way in which this issues might have been addressed in other COmanage
installations.

Greetings,
Bas.
SURFnet.

  • [comanage-users] expressing service-specific roles in COUs, Bas Zoetekouw, 10/12/2018

Archive powered by MHonArc 2.6.19.

Top of Page