Resource Entitlement Management System Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science

Affaire Tournesol

Background CSC is a non-profit state company –ICT services for research groups & higher education institutes –Wide co-operation with universities and research institutes (incl. Statistics Finland) CSC has operated the Finnish academic identity federation, Haka, since 2005 –Switzerland and Finland are the European pioneers in federated identity

Identity federation Polytechnic C Research Institute B University A Local user accounts Service 1 e.g. Library portal Service 2 Learning management system (LMS) Local user accounts

Haka – the federation of Finnish HE Haka federation of the Finnish higher education Service ProviderIdentity Provider (Home university) National Library portal Institutiona Library Management Systems Learning Management System (Moodle etc) ASP/SaaS services in university administration U of Turku U of Helsink etc UAS of Turk U of Tamper UAS of Hels  Identity Provider maintains the end user’s identities (identifiers, roles and other attributes)  Identity Provider authenticates an end user  Identity Provider release end user’s attributes to the service provider  Based on the attributes, the Service Provider decides what kind of services the user is authorised to use IdP CSC’s services to researchers (HPC, grids) SP

Relying on the REMS access rights Identity Provider Service Provider Identity Provider Service Provider REMS Attribute Provider REMS IdP proxy attributes attributes + entitlements attributes entitlements (a) External attribute provider(b) IdP proxy (c) Or a custom REMS integration

Identity Federations in Europe

Federated identity + workflow = REMS Basic idea of REMS is to –replace paper based application process with an automated tool –build on top of federated identity to avoid unnecessary and error prone manual maintenance work of user information

Resource entitlement management system (REMS) Access to research datasets 0. Fully public access 1. Researcher has a role/group membership –IdP managed/VO-managed 2. Researcher commits to datasets’ licence terms 3. Researcher fills in and submits an application - Dataset owner approves/rejects Or any combination of 1, 2 and 3.

Principal investigator Applicant Research group Members of the application The REMS concept Metadata on dataset 1&2 Dataset 1 Dataset 2 DAC 1 Approver DAC 2 Approver REMS Workflow Reports Entitlements IdP SP 1. Apply for access 4. Approve 5. Access 3. Circulate to approver 2. Commit to licence terms

CASE: Finnish Social Science Data Archive

CASE: process for applying access to the Nordic Control Database

Benefits of REMS Reduces throughput times of the application process Provides easier reporting/audit tools for owners of the resource and the applicant Increases information security also by relying on end users’ home institutions usernames/passwords and federated authentication

The REMS implementation Created originally in the ELIXIR ESFRI project –Academy of Finland and Ministry of Education and Culture via CSC) e.g. NOT EU FP7, EMBL etc. ELIXIR Finland hosted at CSC offers REMS as a service for biomedical data hosting services in ELIXIR Discipline-independent A Java portlet on Liferay, using Vaadin framework Open source (LGPL)

Work-in-progress Development UI improvements, vulnerability tests, documentation, publish the code, bug fixes and feature requests Operations maintenance, support, helpdesk Deployment new: FSD, TTA, LBR extend: EGA, biobanking

REMS DEMO

REMS = TAAS? 1.Accredited institution = Identity federation? 2.Requestor’s affiliation = Identity federeration (affiliation = ”faculty”) 3.Application must be approved = REMS

Links REMS Identity federation