Managing Authorizations

Last modified by chaney08 on 2021/07/20 19:58

IAM can be used to manage authorization within EBRAINS in the following way.

EBRAINS services (including the Collaboratory's wiki, drive and lab services) have specific features which are not systematically accessible to all users. Such features can typically grouped into two types:

  • the authorization to perform a specific action
  • the authorization to consume more resources than others

Roles in IAM are implemented as simple labels. A role can be attached directly to a user or a group or a unit, thereby granting that role respectively to that user, or to all the users part of that group and its sub-groups/sub-units, or to all the users part of that unit and its sub-units.

An EBRAINS service is represented in IAM by its authentication client, or OIDC client.

Attaching a role to an OIDC client indicates that this client will take that role into account. Attaching the role to a user (directly or via a Unit or Group) gives that user the corresponding authorization.

Public roles

Some roles are public, i.e. all OIDC client applications have the possibility of viewing whether a given user has the role. Other roles are private, i.e. only applications having that attached role have the possibility of viewing whether a given user has the role.

In all services

feature:authenticate: This role allows a user that has the role to be authenticated by an OIDC client that is linked to the role.

An OIDC client application without the role allows any EBRAINS user account to authenticate to that app.

An OIDC client application with the role is only accessible to EBRAINS user accounts with that role.

In the Collaboratory.wiki service ("xwiki")

feature:create_app: This role allows the user to create an App Within Minutes in Collaboratory.wiki.

In the Collaboratory service Group ("group")

feature:create_group: This role allows the user to create a Group in IAM.

How your OIDC client app can check a user's roles

In order to identify the roles of a given user, an OIDC client application can fetch the user's token and access the userinfo API endpoint. See the documentation and a sample notebook to access a user's userinfo.

How to add a role for and/or to your OIDC client app

Contact support to add an existing role for your service or to add a new role specifically to your service. Mention the words "IAM role" in your request to the Collaboratory service.