> But what are they linking their ID to? It needs to be a VO role in order to give them specific
> rights at the multitude of resources (I guess your umbrella ID is a proxy for this?). So how do
> they know which role to link to, and how does the system stop people linking to unauthorised roles?
In each of the PaNdata facilities, the link is made between their actual user account at the facility (they will *always* have a native account) and an identifier received from the Umbrella system. The identifier is anonymous but is unique to them.
The link is maintained in a so-called User Office System, which is administered by the site in question (it also works for people like GridPP, DiRAC, etc). The site decides which resources that user has access to. Standard Unix/Windows UID and GIDs apply to any of the resources, so if, in the case of Diamond, a user is only allowed to log into Beamline I-14, then any attempts to log into Beamline B-06 will fail because the permissions to that resource have not been given. Unix has been *very* good at that for the last 40 years, so leverage that :-)
Stefan
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|