Identity and Access Management¶
IAM Overview¶
Our Figshare for Institution instance, has a couple of features to maintain identity and access management (IAM) settings and to assist in data repository administration.
First, we have the ability to set a quota of available space for each user. Our default quotas, applicable to most ReDATA users, are:
Classification |
Quota |
---|---|
Undergraduates |
0 (initially), 100MB after they contact us |
Graduates |
0.5 GB |
Faculty/Staff/DCC |
2 GB |
Second, we have the ability to assign each users to groups on Figshare (a.k.a. “portals”). This allows for the easily exploration of data through these portals. For our deployment we chose to do it by following common research themes for our University. To identify researcher’s discipline, we utilize their primary affiliation at the University.
Software/Services Overview¶
There are a number of software and services that we use for IAM. They are:
Software/Services |
Maintainer(s) |
Purpose |
---|---|---|
Enterprise Directory Service (EDS) |
UITS |
UArizona’s LDAP directory used to gather metadata about their users from a central UA datastore in order to make authorization decisions. |
Grouper |
UITS |
UArizona’s tool to create groups for UA organization. This is populated into EDS and Shibboleth |
Shibboleth / WebAuth |
UITS |
UArizona’s SAML-based access to UA IAM information |
ReDATA team |
Python command-line API for IAM |
|
ReDATA team |
Python command-line API and database of groups for IAM |
Services¶
First, we utilize three services provided and administered by University Information Technology Services (UITS):
EDS
Shibboleth
Grouper
Users who login to ReDATA uses their NetID credentials to login (WebAuth). A user who is no longer part of the University will not have NetID and thus will not be able to log in.
Software¶
The two codebases that the ReDATA team develops and maintains are
ReQUIAM and ReQUIAM_csv. The
former is the primary software that manages all ReDATA IAM with a
daily “cronjob” that sets research theme association (“portals”) and quotas
through the Grouper API. That information is then propagated into EDS
and Shibboleth with users logging in. Also, ReQUIAM
has a
command-line API to enable other manual IAM changes for the ReDATA team,
such as setting a higher quota from default quota settings
(See IAM Overview)
The ReQUIAM_csv
software contains the mapping between the groups on
ReDATA’s Figshare for Institution instance and UArizona organizational
codes. The spreadsheet is available through Google Docs.
The Grouper-to-Figshare-group mapping is provided as a CSV file to be
consumed by ReQUIAM
, which are publicly available on GitHub at:
Grouper settings¶
To control IAM, we update Grouper group memberships, which are metadata that
is passed into EDS and ultimately Shibboleth and consumed by our Figshare for
Institution instance for account creation (for first login) and update when
users re-login. This metadata record is called ismemberof
.
The three ismemberof
settings that ensures proper IAM are:
|
Type |
Purpose |
---|---|---|
active |
Group |
This enable login to ReDATA. Non-membership means the individual is no longer an active member by Libraries privileges |
portal |
Stem |
Folder containing various research themes Grouper groups |
quota |
Stem |
Folder containing Grouper groups of quotas in bytes |
The Grouper stem prefix for the above is arizona.edu:Dept:LBRY:figshare
.
ReQUIAM
maintains direct membership for portal
and quota
groups.
For the active
group, this is done using indirect membership from
other Grouper groups set by the University Libraries patron software,
patron-groups.
Our Figshare instance maps the portal
and quota
settings accordingly
such that:
A quota is set to ensure that a user has enough space for small deposits, which is most often the case. The user can request more space, which a ReDATA administrator would need to approve. The latter allows for the ReDATA team to understand the user’s needs and to identify cases where there are large deposits requiring more assistance.
A researcher’s data deposits are placed in a proper Figshare group/portal.
If a user does not have a portal
set then their data publication will not
appear in any group/portal, but part of the University wide group. If a quota
is not set (for undergraduates logging in for the first time), then the quota
is set to zero.