Managing Grid User Accounts

Account Information

The Account Information tab contains information describing the user's account and the identity of the user.   Below is a table summarizing this information.

The Local User Id, First Name, Last Name, and Email address attributes are provided by the user's identity provider in the SAML Assertion issued when the user requests PKI user credentials.   Each time the user requests a certificate, Dorian will check these attributes to make sure they have not changed.  If the first name, last name, or email address attributes have changed, Dorian will update  the users account to reflect this change.  Since these attributes are provided by the user's identity provider they cannot be updated by administrators.   Of the attributes in the above table, only the User Status or Account Status attribute can be updated.

Account Status

The User Status attribute represents the status of a user's account, the following is a list of account status's supported by Dorian:

• Active - The user's account is active, they may request both user and host credentials.
• Suspended - The user's account is suspended, all active user and host credentials have been revoked until the account status becomes Active.
• Pending - The user has tried to request a credential however the account has not been activated by administrator. (See Account Creation for more details)
• Rejected - The request for a user account was rejected by an administrator.

A user's account status can be updated through the GAARDS Administrative UI as follows:

1. From the Grid User Management Window select the desired account status from the User Status drop down
2. Click the Update Account button.

Each time a user requests a PKI credential from Dorian, Dorian issues and signs a short term user certificate.  The lifetime of certificate is based on Dorian's configuration.   Dorian maintains a list of all the user certificates issued and associates them with the user account.   Administrators can search for and view all the user certificates issued by Dorian for a given account.   More importantly administrators may revoke individual user certificates, even after they expire.  This is important if a certificate was used to digitally sign a document and in some point in the future it is determined that the certificate was compromised at the time the document was signed.

Searching for User Certificates

User Certificates can be viewed and administered through the GAARDS UI.   Under the User Certificates tab in the Grid Account Management Window, administrators can search for user certificates as follows:

1. Specify your search criteria:
   1. Serial Number - The serial number or unique identifier for the user certificate.
   2. Start Date - Start of a time range in which the certificate was valid.
   3. End Date -End of a time range in which the certificate was valid.
   4. Status - Whether or not the certificate was revoked..
   5. Notes - Administrative notes associated with the certificate.
2. Click the "Search" button.

When the search has completed, the user certificates meeting you search criteria will listed in the table at the bottom part of the window.

Viewing User Certificates

Using the GAARDS UI, you can view the details of an individual user certificate.  This can be done after completing  a user certificate search in the Grid Account Managment Window by selecting the certificate and by clicking the View button.  The User Certificate Window is broken down into two tabs Details and Audit.   The Details tab contains attributes of the user certificate:

For each user certificate Dorian maintains auditing information, including documenting each time the certificate is updated (Status or notes) by an administrator and when and by whom the certificate was removed by, if it were to be removed.

Updating User Certificates

The majority of user certificates will never need to be updated.   However there will be some cases where Dorian administrators wish to add notes to a user certificate or change the status of the user certificate to compromised.  In most cases updates to user certificates will be related to security compromises.  Administrators can update the Notes and the Status of user certificates.   Updates to user certificates can be made using the GAARDS Administrative UI by (1) viewing the certificate you wish to update, (2) making the changes to the Notes or Status attributes, and (3) clicking the Update button.

Removing User Certificates

Dorian allows administrators to remove users certificates.   Removing a user certificate permanently removes it from Dorian.   If a user certificate was revoked (status is compromised) when it is removed, then the certificate is permanently added to Dorian's CRL.   If the user certificate has not been revoked when it is removed, then it can NEVER be revoked.   For this reason removing user certificates is generally not recommended.  User certificates can removed by though the GAARDS UI by completing  a user certificate search in the Grid Account Managment Window and by selecting the certificate to removed and by clicking the Remove button.

In order to establish a secure communication mechanism and authenticate with other services, Web/Grid services need to have PKI credentials.    Dorian provides the ability to issue host certificates to users, such that they may operate Grid services.   Dorian will only issue host certificates to users that have accounts with Dorian.   Host certificates that are issued by Dorian are bound to a specific user account.  The user that the host certificate is bound to is referred to as the owner of the host certificate.   Dorian enables administrators to list all the host certificates that a given user is the owner of.   This can be done using the GAARDS UI by clicking List button in the Host Certificates tab in the Grid Account Management Window.  When the search had completed, all of the host certificates in which the user is an owner of will be listed in the table below the List button.  You can view and manage individual host certificates by selecting a host certificate and by clicking the View button.  For additional details on administering Host Certificate please consult the Host Certificate Guide.

For security purposes and to give administrators insight on a user's account, Dorian maintains a list of auditing information for each user account.   The following is a list of auditing information maintained for each user account:

1. In the Grid User Management Window for a given user, select the Audit tab.
2. Enter the desired search criteria, please consult the table above.  If no search criteria is specified all audit records for the user will be returned.
3. Click the "Search" button.

When the search has completed, the audit records meeting your search criteria will be displayed in the table below the Search button.  To view the complete details of a specifc audit record, select that record in the table and click the View button.  This will launch a window containing the complete details of the audit record you selected.