MSO and multiple communities

Tony Linde ael at star.le.ac.uk
Tue Jul 6 06:52:34 PDT 2004 

> We need multiple accounts - we already have multiple accounts.
> SSO needs to federate the accounts a user has on multiple systems.

No, yes, no :)

> The IVO (unlike AstroGrid) can not be a monolithic system 

AstroGrid is not a single system at all but a set of separate components
working according to set interfaces - the IVO in fact.

> where I get a single account for everything - this will just not work.

I think there's confusion about accounts and groups. What you mean by
accounts, I mean by groups. Groups confer privileges, not accounts. Having
an account gives you no rights whatever. Only by being granted membership of
certain groups do you gain the rights of those groups.

> I might have to have a single identity which each system maps 

That is what I mean by an account. 

> to my account on that system - this is I believe what Guy is 

No. A service confers access rights to a group. A user who is joined to that
group gets the rights conferred on that group. It doesn't matter to which
community the user originally registered or anything else. If the
administrator of a group adds the user to that group then that user has
those rights. 

We absolutely do not want a proliferation of accounts on every server around
the world.

T.

> -----Original Message-----
> From: owner-grid at eso.org [mailto:owner-grid at eso.org] On 
> Behalf Of Wil O'Mullane
> Sent: 06 July 2004 14:32
> Cc: grid at ivoa.net
> Subject: Re: MSO and multiple communities
> 
> We need multiple accounts - we already have multiple accounts.
> SSO needs to federate the accounts a user has on multiple systems.
> The IVO (unlike AstroGrid) can not be a monolithic system 
> where I get a single account for everything - this will just not work.
> I might have to have a single identity which each system maps 
> to my account on that system - this is I believe what Guy is 
> specing and what we agreed pretty much at Boston. 
> 
> wil
> 
> 
> On Tue, Jul 06, 2004 at 12:16:45PM +0100, Guy Rixon wrote:
> > In light of Tony's last message, I ask the group whether we are to 
> > proceed with the abilities to have accounts at more than one 
> > community, to federate communities and to allow credentials 
> for an SSO 
> > session to be collected from more than one server. If not, then the 
> > nature of the system is changed; some processes are 
> simplified and some are made impossible.
> > 
> > I don't mind changing tack if there is consensus, but I 
> need to know 
> > which way we're going before I finish the SSO document-set.
> > 
> > Cheers,
> > Guy
> > 
> > Guy Rixon 				        gtr at ast.cam.ac.uk
> > Institute of Astronomy   	                Tel: +44-1223-337542
> > Madingley Road, Cambridge, UK, CB3 0HA		Fax: 
> +44-1223-337523
>

More information about the grid mailing list