Hi Ivan, > 3. one needs to take care of real UNIX group and user IDs on the CE and WNs, > i.e. the pool accounts. In grid-mapfile > > "YOUR DN HERE" .gilda > > Then what should go to groupmapfile and gridmapdir/ ? The groupmapfile is only used for VOMS mappings. In the gridmapdir you create empty files whose names are the accounts: gilda001, gilda002, ... > 4. And then also, if one needs this info to be published with BDII then here > is the Stephen Burke's reply on how to get published with the > AccessControlBaseRule: > > It's a glue schema attribute. The template is usually in > /opt/glite/etc/gip/ldif/static-file-CE.ldif, which is created by YAIM, > but it doesn't have an option to add DNs so you'd have to edit it by hand. > I.e. where you see things like > > GlueCEAccessControlBaseRule: VO:dteam > > you would need to add something like > > GlueCEAccessControlBaseRule: /REPLACE/WITH/YOUR/DN Indeed, one such line for every DN: GlueCEAccessControlBaseRule: /C=IT/O=GILDA/CN=Tutorial User 1 GlueCEAccessControlBaseRule: /C=IT/O=GILDA/CN=Tutorial User 2 ... That _should_ work. If not, you could add a line for "VO:gilda" instead, but that suggests you support the whole VO; in this case that could be OK. Note that there is no need to add such lines when glite-wms-job-submit is used with the "-r" option to bypass the matchmaking and send jobs directly to the intended CE.