Grid User Account Management

[ Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides ]

Grid Account Management

Managing grid users and provisioning grid user accounts is the ultimate goal of Dorian. Grid user accounts are created the first time the user attempts to create a grid proxy with a SAML Assertion signed by a Trusted Identity Provider. For each user Dorian maintains a local user id within their IdP, the user's first name, the user's last name, and the user's email address. The information is obtained from the SAML Assertion presented to Dorian when creating a proxy. When a user account is created, Dorian creates a long term certificate and private key for the user, the user's certificate is signed by Dorian's certificate authority. Dorian maintains the user's private key and certificate locally and never distributes it to anyone. Dorian uses the user's private key and certificate in creating and signing grid proxies, in which the user will use to authenticate to grid services. The subject of the user's certificate is composed of (1) Information from Dorian's CA subject, (2) The id of the user's IdP, and (3) the user's local id within the IdP, giving each user a unique identity in the grid. Each user account also has a status associated: Active, Suspended, Pending, or Expired. Only users with an Active status will be allowed access to the grid. When a grid user account is first created, the initial status of the account depends on the user policy configured with the user's IdP. If a manual approval policy is specified, the initial status of the grid user account will be Pending, if an automatic approval policy is specified, the initial status of the grid user account will be Active. When a user's long term certificate expires, the status of the user's account will be set to Expired if the user's IdP specifies a manual renewal policy. In this case an administrator will have to manually renew the user's credentials to grant the user access to the grid again. If however an auto renewal policy is specified for the user's IdP, Dorian will automatically renew the user's long term certificate and private key, and the user's account status will remain Active. As mentioned earlier, users who account access is not Active will not be able to create grid proxies; they will also be published in the Dorian Certificate Authority's Certificate Revocation List (CRL), which is published by Dorian to the Grid Trust Service (GTS). Finally each user account is assigned a role within Dorian, either User or Administrator. Users with the Administrator role may create grid proxies; administrate Trusted IdPs, and grid user accounts within Dorian. User with the User role may only create grid proxies. Use the following steps to administrate grid user accounts using the GAARDS UI.

1. Open the Account Management window by selecting User Management => Grid Account Management => Grid User Management.
2. From this window, you can search for grid user accounts managed by Dorian, manage user accounts, and remove user accounts. To list all grid user accounts managed by a Dorian, select the URI of the Dorian you are interested in from the Service drop down. If the URI of the Dorian you are interested in is not listed, enter it.
3. Select the grid proxy to use from the Proxy drop down. Select a proxy of a Dorian administrator.
4. Finally, click the Find Users button to list all the grid user accounts managed by the selected Dorian. To narrow your search, specify search criteria. Dorian supports the following search criteria on grid user accounts: Identity Provider, user id, grid identity, first name, last name, email, and, user status. For example if you wish to search for all the accounts that are pending administrative approval, select Pending from the User Status drop down.

User Account Management

User Management

Use the following steps to manage individual grid user accounts through the GAARDS UI.

1. From the Account Management window select the user of interest and click the Manage User button.
2. From the Manage User window you can view the user's information or change a user's account status. For example, in the case that the user's IdP requires manual approval you may change the status from Pending to Active. To revoke a user's access to the grid, change the user's account status to Suspended.
3. To commit changes made to a user's status, click the Update User button, which reflects the changes immediately.

Alternatively, you may renew a user's long term certificate and private key. You may want to do this if they have expired or if they are going to expire. Details on the user's long term certificate can be found in the Certificate tab. To renew a user's long term certificate and private key click the Renew Credentials button.

Removing a Grid User Account

To remove individual grid user accounts through the GAARDS UI, do the following. Open the Account Management window and select the user to remove and click the Remove User button. It is important to note that if you remove a grid user account for a user, a new one will automatically be created if they try to create a proxy again. Thus removing an account does not always revoke access to the grid. To disable access to the grid, change the user's account status to Suspended. In most cases grid user accounts should only be removed if they are no longer affiliated with their Identity Provider.