Guest Accounts

Last modified by mmorgan on 2023/06/02 14:01

For whom

EBRAINS users can request an EBRAINS user account to access resources they might not otherwise have access to, including services, computing resources, and data. Some restrictions apply for users including sanctions against some countries, age limit, motivation, a single account per user, and possible banning from the platform. Additionally, some registrations may not be immediate though we are making every effort to reduce registration time.

These limitations may push some users to request a temporary guest account. Guest accounts are granted by EBRAINS users that have been given the Sponsor role. Sponsors are responsible for identifying guest users with due diligence. Sponsors are not authorized to bypass the EU sanctions/embargoes on countries nor the possible EBRAINS restrictions on individuals or institutions. For countries not appearing on the current list of validated countries, please contact Support. Sponsors assume the responsibility for the guest users they provide guest accounts to. For guest users, the age limit is of 14 years instead of 18 years for regular EBRAINS users.

Developers of EBRAINS services may use guest accounts to have more than one account for testing purposes. This should however mostly be done in the integration environment (INT). The production environment should be kept as free of testing accounts or OIDC clients as possible.

EBRAINS users who believe they have a legitimate motivation for becoming a Sponsor of guest accounts should contact Support to request this along with a justification.

Authorization

EBRAINS service providers are responsible for explicitly authorizing access to guest accounts for their service. This is done in the OIDC-client management app. EBRAINS services may impose further limitations to guest users inside their service. For example, the Collaboratory Wiki service authorizes guest accounts to access the Wiki service but does not authorize them to create public collabs.

Guest accounts are identified by their username starting by "guest", e.g. "guestjaned". The "guest*" namespace is reserved for guest accounts. Guest accounts are also identifiable by the fact that they are all in the "/guests" Unit. This Unit is not in the "/all/*" namespace of Units and as such is not browsable in the Identity Manager.

Creating a guest account

Guest accounts are created via the guest account app. NOTE: Only sponsors can access this page.

Sponsors can also create guest accounts via an API endpoint as described in "Creating a guest account via API" below.

Sponsors must provide a first name, last name and email address for each guest account. The email address will be validated by IAM just as regular EBRAINS accounts. This also implies that guests set their own password; Sponsors do not set passwords for guests as this would be in breach of the Access Policy. The username of guest accounts is generated automatically by IAM.

For guest users under the age of 18 years (under age users), we are not authorized to request the user to consent to complex terms of use. IAM will automatically truncate the last name of under age guest users, e.g. "guestjaned". The Sponsors must still indicate the full name for security reasons but this information will not be available to any end user. IAM determines whether or not to truncate the last name by an additional field "user is under age" provided by the Sponsors. Under age guest users have the same permissions as other guest users.

Creating a guest account via API

Sponsors can use the endpoint for guest accounts in the Wiki API.
Via the API, sponsors have to perform a POST request to the URL below. The same endpoint is used to create and reactivate guest accounts. Notice the username is not specified in the request; usernames for new accounts are constructed from first and last name and prefixed with "guest".

https://wiki.ebrains.eu/rest/v1/identity/users/guests

{
   "users":[{
       "firstName" : "Pierre",
       "lastName" : "Martin",
       "email" : "pierre.martin@example.com",
       "isGuestUnderAge" : true
    },
    {
       "firstName" : "Ines",
       "lastName" : "Alaoui",
       "email" : "ines.alaoui@example.com",
       "isGuestUnderAge" : false
    }
],
   "expirationDate" : "2022-04-18"
}

Once the guest account has been created, the guest user will receive an email like the one below, inviting them to reset their password. This allows us to validate their email address.

Screenshot 2022-04-28 at 14.39.18.png

Duration

Guest accounts are created/activated for a limited duration. Beyond that time, the accounts are automatically deactivated. The end date for guest accounts is selected by the Sponsor when creating a guest account. Guest accounts cannot be granted a duration of over 30 days.

The duration of existing guest accounts can be extended by Sponsors. This is done via the same guest account app. The email address is the primary identifier for linking a request to an existing guest account; the first and last name fields are redundant when extending a guest account.

Sponsors are requested not to abuse the duration extension mechanism.

Limitations

Guest accounts are limited in resources they are authorized to access. Here is a short list of some of the limitations which apply for central EBRAINS services.

  • All EBRAINS services: no default access to any service. The service provider needs to explicitly request access by guest accounts to their service.
  • Collaboratory Wiki: no ability to create public collabs.
  • Collaboratory Lab: access to limited memory in Docker containers running Jupyter Notebooks.
  • Collaboratory Drive/Bucket: a smaller quota (when quota is introduced for these services).
  • Collaboratory Wiki: ability to create a limited amount of private collabs (when quota is introduced for this service).