Resource Entitlement Management System Manne Miettinen Mikael Linden

Resource Entitlement Management System Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science

Affaire Tournesol

Background CSC is a non-profit state company – ICT services for research groups & higher education institutes – Wide co-operation with universities and research institutes (incl. Statistics Finland) CSC has operated the Finnish academic identity federation, Haka, since 2005 – Switzerland Finland are the European pioneers in federated identity

Identity federation Local user accounts University A Research Institute B Service 1 Local user accounts Learning management system (LMS) Polytechnic C e. g. Library portal Service 2 Local user accounts

Haka – the federation of Finnish HE Identity Provider (Home university) Service Provider U of Turku Id. P SP National Library portal U of Helsink Id. P SP Institutiona Library Management Systems U of Tamper Id. P SP Learning Management System (Moodle etc) UAS of Turk Id. P SP ASP/Saa. S services in university administration UAS of Hels Id. P SPCSC’s services to researchers (HPC, grids) etc Id. P Haka federation of the Finnish higher education Ø Identity Provider maintains the end user’s identities (identifiers, roles and other attributes) Ø Identity Provider authenticates an end user Ø Identity Provider release end user’s attributes to the service provider Ø Based on the attributes, the Service Provider decides what kind of services the user is authorised to use

Relying on the REMS access rights Identity Provider attributes Service Provider entitlements REMS Attribute Provider (a) External attribute provider (c) Or a custom REMS integration Identity Provider Service Provider attributes REMS Id. P proxy attributes + entitlements (b) Id. P proxy

Identity Federations in Europe

Federated identity + workflow = REMS Basic idea of REMS is to – replace paper based application process with an automated tool – build on top of federated identity to avoid unnecessary and error prone manual maintenance work of user information

Access to research datasets 0. Fully public access 1. Researcher has a role/group membership – Id. P managed/VO-managed 2. Researcher commits to datasets’ licence terms 3. Researcher fills in and submits an application - Dataset owner approves/rejects Resource entitlement management system (REMS) Or any combination of 1, 2 and 3.

The REMS concept 3. Circulate to approver 1. Apply for access DAC 1 Approver Id. P Principal investigator Applicant 4. Approve Id. P SP 2. Commit to licence terms Research group Members of the application REMS Dataset 1 DAC 2 Approver Workflow Reports Dataset 2 Entitlements Id. P 5. Access Metadata on dataset 1&2

CASE: Finnish Social Science Data Archive

CASE: process for applying access to the Nordic Control Database

Benefits of REMS Reduces throughput times of the application process Provides easier reporting/audit tools for owners of the resource and the applicant Increases information security also by relying on end users’ home institutions usernames/passwords and federated authentication

The REMS implementation Created originally in the ELIXIR ESFRI project – Academy of Finland Ministry of Education and Culture via CSC) e. g. NOT EU FP 7, EMBL etc. ELIXIR Finland hosted at CSC offers REMS as a service for biomedical data hosting services in ELIXIR Discipline-independent A Java portlet on Liferay, using Vaadin framework Open source (LGPL)

Work-in-progress Development UI improvements, vulnerability tests, documentation, publish the code, bug fixes and feature requests Operations maintenance, support, helpdesk Deployment new: FSD, TTA, LBR extend: EGA, biobanking

REMS DEMO

REMS = TAAS? 1. Accredited institution = Identity federation? 2. Requestor’s affiliation = Identity federeration (affiliation = ”faculty”) 3. Application must be approved = REMS

Links REMS https: //remsdemo. csc. fi/ http: //www. csc. fi/rems https: //tnc 2013. terena. org/core/presentation/18 Identity federation http: //www. edugain. org/technical/status. php https: //refeds. org/