Documentation IAM

Last modified by chaney08 on 2021/09/21 17:19

Introduction

IAM is the EBRAINS Identity and Access Management service which is delivered by the Collaboratory and manages user identification and permission management for all EBRAINS users and services.

Some of the EBRAINS resources are available without an EBRAINS account; for all other resources, users need to register for their personal EBRAINS user account. Visit https://EBRAINS.eu/register.

IAM provides role-type permission management by offering the possibility of organizing users into Units, Groups and collab Teams to simplify permission management.

Permissions in Collaboratory services

Collaboratory services are organized around Collaboratory workspaces, known as "collabs". Collabs have a simple permission scheme: the same permissions apply to all the contents of a collab, and for all the Collaboratory services available from that collab. There are no finer-grain permissions within a collab, not per file or folder in the Drive or Bucket, not per Wiki page either.

Collabs are private or public. The Wiki pages of public collabs are viewable by anyone on the internet. The other Collaboratory services (Drive, Bucket, Lab, Office) are generally reserved to users with an account. Files in the Drive and Bucket can be made readable to anyone by creating a public link for them, and such links can for instance be shared on the wiki page of a public collab. Notebooks in the Lab can be made readable to anyone by generating an view and embedding it is an wiki page of a public collab.

The Team app manages permissions for each collab; it defines which users are members of the collab's Team and which permissions or roles they each have. Users in a collab Team can be Viewers (with read-only rights), Editors (with rights to add, modify and delete content) or Admins (with Editor rights and rights to modify the collab's Team).

Roles in a collab’s Team can also be attributed to all the users in a Unit or in a Group. Units are managed by more formal policies than Groups, e.g. to indicate HBP user accreditation or to indicate the institution a user belongs to. Groups are more ad hoc in nature.

Permissions in other EBRAINS services

EBRAINS service providers should refer to IAM for authenticating users and services, and for managing permissions of users within the services they provide. Access to the IAM service is done via the OpenID Connect (OIDC) protocol. The services need to register with the IAM service as OIDC clients at which point they will receive an authentication token. Once registered, a service can query IAM for information concerning EBRAINS users within the scope attributed to that service.