Download - Resource Entitlement Management System
![Page 1: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/1.jpg)
Resource Entitlement Management System
Manne MiettinenMikael LindenJanne LaurosCSC – IT Center for Science
![Page 2: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/2.jpg)
Affaire Tournesol
![Page 3: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/3.jpg)
Background
CSC is a non-profit state company– ICT services for research groups & higher education
institutes– Wide co-operation with universities and research
institutes (incl. Statistics Finland)
CSC has operated the Finnish academic identity federation, Haka, since 2005– Switzerland and Finland are the European pioneers in
federated identity
![Page 4: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/4.jpg)
Identity federation
Polytechnic C
Research Institute B
University ALocal user accounts
Service 1
e.g. Library portal
Service 2
Learning management
system (LMS)
Local user accounts
Local user accounts
![Page 5: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/5.jpg)
Haka – the federation of Finnish HE
Haka federation of the Finnish higher education
Service ProviderIdentity Provider(Home university)
National Library portal
Institutiona Library Management Systems
Learning Management System (Moodle etc)
ASP/SaaS services in university administration
U of Turku
U of Helsink
etc
UAS of Turk
U of Tamper
UAS of Hels
Identity Provider maintains the end user’s identities (identifiers, roles and other attributes)
Identity Provider authenticates an end user
Identity Provider release end user’s attributes to the service provider
Based on the attributes, the Service Provider decides what kind of services the user is authorised to use
IdP
IdP
IdP
IdP
IdP
IdP
CSC’s services to researchers (HPC, grids)
SP
SP
SP
SP
SP
![Page 6: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/6.jpg)
Relying on the REMS access rights
Identity Provider
Service Provider
Identity Provider
Service Provider
REMS Attribute Provider
REMS IdP proxy
attributes attributes + entitlements
attributes
entitlements
(a) External attribute provider (b) IdP proxy
(c) Or a custom REMS integration
![Page 7: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/7.jpg)
Identity Federations in Europe
![Page 8: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/8.jpg)
Federated identity + workflow = REMS
Basic idea of REMS is to – replace paper based application process with an
automated tool– build on top of federated identity to avoid unnecessary
and error prone manual maintenance work of user information
![Page 9: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/9.jpg)
Resource entitlement management system (REMS)
Access to research datasets
0. Fully public access1. Researcher has a role/group membership
– IdP managed/VO-managed
2. Researcher commits to datasets’ licence terms3. Researcher fills in and submits an application
- Dataset owner approves/rejects
Or any combination of 1, 2 and 3.
![Page 10: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/10.jpg)
Principalinvestigator
Applicant
Research groupMembers of the application
The REMS concept
Metadata on dataset 1&2
Dataset 1
Dataset 2
DAC 1Approver
DAC 2Approver
REMS
Workflow
Reports
Entitlements
IdP
IdP
IdP
SP
1. Apply for access
4. Approve
5. Access
3. Circulate to approver
2. Commit to licence terms
![Page 11: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/11.jpg)
CASE: Finnish Social Science Data Archive
![Page 12: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/12.jpg)
Applying access rights to Nordic control DBR
esea
rch
grou
p m
embe
rs
Prin
cipa
l In
vest
igat
orD
AC
secr
etar
yD
ACO
pera
tor
Technical check of the application
Approval, rejection or request to amend of the application
Implement access rights for the
research group
Request amendments
Proposes approval or rejection
Yes
Infomrs how to access
Informs PIon decision
PI learns access has been granted/
denied
Implementation of DAC’s decision
Information on approval or rejection
Fill in or update an application and commit to the terms of use
Submit application
Submission Sanity check Decision Implementation
Research group members learn how to use the access rights
Access grant?
End
Informs Operator
No
Start
End
CASE: process for applying access to the Nordic Control Database
![Page 13: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/13.jpg)
Benefits of REMS
Reduces throughput times of the application process Provides easier reporting/audit tools for owners of the resource and the applicant Increases information security also by relying on end users’ home institutions usernames/passwords and federated authentication
![Page 14: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/14.jpg)
The REMS implementation
Created originally in the ELIXIR ESFRI project– Academy of Finland and Ministry of Education and
Culture via CSC) e.g. NOT EU FP7, EMBL etc.
ELIXIR Finland hosted at CSC offers REMS as a service for biomedical data hosting services in ELIXIRDiscipline-independentA Java portlet on Liferay, using Vaadin frameworkOpen source (LGPL)
![Page 15: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/15.jpg)
Work-in-progress
DevelopmentUI improvements, vulnerability tests, documentation,
publish the code, bug fixes and feature requestsOperations
maintenance, support, helpdeskDeployment
new: FSD, TTA, LBRextend: EGA, biobanking
![Page 16: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/16.jpg)
REMS DEMO
![Page 17: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/17.jpg)
REMS = TAAS?
1. Accredited institution = Identity federation?
2. Requestor’s affiliation = Identity federeration (affiliation = ”faculty”)
3. Application must be approved = REMS
![Page 18: Resource Entitlement Management System](https://reader035.vdocument.in/reader035/viewer/2022062502/56815470550346895dc28730/html5/thumbnails/18.jpg)
Links
REMShttps://remsdemo.csc.fi/http://www.csc.fi/remshttps://tnc2013.terena.org/core/presentation/18Identity federationhttp://www.edugain.org/technical/status.phphttps://refeds.org/