Back

Introduction

In Perun, the user becomes a member of Virtual Organizations (VO), their groups and possibly subgroups.

VO is the main unit in Perun, only the membership in the groups or subgroups ensures user access to services.

Membership in VO may be direct or indirect depending on how the user gets into the groups.

The user becomes the direct member of the VO when he/she gets to the VO through the application or the VO manager adds him manually. He can then be added to groups or subgroups by a similar process (by application or by manually adding manager).

The user becomes the indirect member of the VO if he/she synchronized from another system into the group or subgroup of the particular VO.

The manager may limit the membership in the group or subgroup to a certain period of time. See below for setting user expiration rules.

Application form

To user access, the group manager has the option to set up an application form for users who are interested in membership.

With the application, the manager can obtain the necessary attributes from the user to allow him to access the service.

How to create application form - designed especially for VO/group manager.

Notifications

Notifications must be set for these applications, which are predefined email information for the user and also for managers.

Notifications for users may contain information such as:

• The application has been sent and is awaiting evaluation

• Application was rejected + reason for refusal

• Application was accepted – User joined the group

Notifications for group managers may include, for example:

• Information that the user has submitted an application

• Information that the user has submitted to extend membership

Notifications are set as – initial (for the first registration to the VO) and extension (for extension membership).

Examples of notifications are here.

Expiration rules

A main important element in this part of the documentation is the possibility to set the expiration in the group.

Thus, a manager can set an expiration date (for example, once a year) when users of his group must extend membership if they want to continue as members of the group.

In this way, the group manager can maintain order in his group structure.

Explanation of expiration and examples will be described later in the text.

Manual expiration set

The group manager can set the expiration to the users manually.

When the valid user is set to expiration in past, Perun will switch user status to expired at nighttime data processing.

When the expired user is set to expiration in the future, Perun will switch user status to valid at nighttime data processing.

Automatic expiration set

Membership expiration can be set so that the process itself occurs automatically, without the tedious intervention of the group manager.

The group manager sets expiration settings using attributes. Instructions for setting attributes are in the text below.

Creating rules to account extensions

If it is necessary to set attribute membershipExpirationRules for group, attribute can be added in Settings in group. Its items can be:

doNotAllowLoa - list of LoAs separated by comma, which won't be allowed in group (users can't become members).

period - time period to extend membership. It can be set as a fixed date (without year), e.g. 1. 2. or as a number of days/months/years with prefix "+"

that defines the time period that extends membership. Units are d = day, m = month, y = year, e.g. +128d extends account to 128 days. +6m, +1y.

doNotExtendLoa - list of LoAs separated by comma, that are not extensible.

gracePeriod - when a present date of initial application or extending request equal extension date minus gracePeriod then user account is extended to the next time period

(period date in next year). Value is in format number days/months/years. Units are d = day, m = month, y = year, e.g. 128d, 6m, 1y

periodLoa - an exception in period for given LoA. Format of value is: LoA|period[.]. LoA is given Loa number and period is in same format as a period.

The optional dot at the end means whether extend an account to the user with filled membershipExpiration or not. If a dot is present, the user with filled membershipExpiration is not allowed to extend an account.

Explanation and examples

Groups or subgroups are or may be connected with services. At the moment when the user has membership in group or subgroup with expired status, he/she doesn‘t have access to those services.

In all of the following cases, it is taken into account that at the end of the expiration period, the user didn‘t apply to extend the membership. Extending membership wouldn‘t lead to scenarios, see text below!

1) The user has become a direct member of the VO, group and two subgroups.

The subgroups are part of the group and it may have different expiration settings.

If a group has expiration set once a year, the user will have the expired state in a group and also in both subgroups after the expiration date.

Regardless of expiration settings for subgroups.

2) The user has become a member of two subgroups and is an indirect member of the VO.

The subgroups are part of the group and they may have different expiration settings.

If group and subgroup #2 has expiration set once a year and the subgroup #1 has a set expiration date to never,

after the expiration date, the user will have the valid state in the group, subgroup #1 and expired state in subgroup #2.

3) The user has become a member of two subgroups and is a direct member of the VO.

The subgroups are part of the group and they may have different expiration settings.

The user sent the application to the subgroup #2, on the other hand, he/she is synchronized into the subgroup #1 from the external system.

If group and subgroup #1 has expiration set once a year and the subgroup #2 has a set expiration date to never,

after the expiration date, the user will have the valid state in the group, subgroup #2 and expired state in subgroup #1.