Changes for page Documentation IAM

Last modified by chaney08 on 2021/09/21 17:19
From version 7.1
edited by mmorgan
on 2021/07/07 03:18
Change comment: There is no comment for this version
To version 6.1
edited by chaney08
on 2021/07/06 12:54
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.mmorgan
1 +XWiki.chaney08
Content
... ... @@ -1,21 +1,11 @@
1 1  == Introduction ==
2 2  
3 -IAM is the EBRAINS **I**dentity and **A**ccess **M**anagement service which is delivered by the Collaboratory and manages user identification and permission management for all EBRAINS users and services.
3 +IAM is the EBRAINS **I**dentification and **A**uthentication **M**anagement service which is delivered by the Collaboratory and manages user identification and permission management for all EBRAINS services. Users can be grouped into units, groups and collab teams for simpler management.
4 4  
5 -Some of the EBRAINS resources are available without an EBRAINS account; for all other resources, users need to register for their personal EBRAINS user account. Visit [[https:~~/~~/EBRAINS.eu/register>>https://EBRAINS.eu/register]].
5 +The IAM service is also what you need to look at when you want to create your own service or community app as this is where you will need to receive tokens for your OIDC (OpenID Connect) clients.
6 6  
7 -IAM provides role-type permission management by offering the possibility of organizing users into Units, Groups and collab Teams to simplify permission management.
7 +Collabs are private or public. The wiki pages of public collabs are viewable by anyone on the internet. For files in the Drive of a public collab to be readable by anyone, the files (or folders) must be referenced via a public link in a wiki page.
8 8  
9 -=== Permissions in Collaboratory services ===
9 +The Team app is one of the few non-wiki pages that appears in the collab’s navigation panel in the left margin. The admins of the collab can add/remove users from the Admin, Editor and Viewer roles of that collab. A user has one of these 3 roles throughout that whole collab; there are no finer-grain permissions per folder in the Drive or per wiki page.
10 10  
11 -Collaboratory services are organized around Collaboratory workspaces, known as "collabs". Collabs have a simple permission scheme: the same permissions apply to all the contents of a collab, and for all the Collaboratory services available from that collab. There are no finer-grain permissions within a collab, not per file or folder in the Drive or Bucket, not per Wiki page either.
12 -
13 -Collabs are private or public. The Wiki pages of public collabs are viewable by anyone on the internet. The other Collaboratory services (Drive, Bucket, Lab, Office) are generally reserved to users with an account. Files in the Drive and Bucket can be made readable to anyone by creating a public link for them, and such links can for instance be shared on the wiki page of a public collab. Notebooks in the Lab can be made readable to anyone by generating an view and embedding it is an wiki page of a public collab.
14 -
15 -The Team app manages permissions for each collab; it defines which users are members of the collab's Team and which permissions or roles they each have. Users in a collab Team can be Viewers (with read-only rights), Editors (with rights to add, modify and delete content) or Admins (with Editor rights and rights to modify the collab's Team).
16 -
17 -Roles in a collab’s Team can also be attributed to all the users in a Unit or in a Group. Units are managed by more formal policies than Groups, e.g. to indicate HBP user accreditation or to indicate the institution a user belongs to. Groups are more ad hoc in nature.
18 -
19 -=== Permissions in other EBRAINS services ===
20 -
21 -EBRAINS service providers should refer to IAM for authenticating users and services, and for managing permissions of users within the services they provide. Access to the IAM service is done via the OpenID Connect (OIDC) protocol. The services need to register with the IAM service as OIDC clients at which point they will receive an authentication token. Once registered, a service can query IAM for information concerning EBRAINS users within the scope attributed to that service.
11 +Roles in a collab’s Team can also be attributed to all the users in a Unit or in a Group. Units are managed by more formal policies than Groups, e.g. to indicate HBP user accreditation or to indicate the institution a user belongs to. Groups are more flexible in nature.