Group managers's manual

From MetaCentrum
Jump to navigation Jump to search

Back to Perun main page

Group administration

All VO members can be inserted into groups. Every group gets an access rights to resources in its VO. Groups can be nested like a tree and the access rights are inherited in the same way. Number of groups and subgroups is not limited. VO member can get rights to administer group. Group name must be unique in the VO. Groups can be managed via CLI or GUI.

Please do not forget that particular VO must be selected before manipulation with group. Group administration via GUI is done by clicking on Groups groups in left menu. The list of groups included in VO will appear. Button Create creates new group, button Remove removes selected groups (but only if you are also VO manager).

By clicking group name in the list of groups, detailed information about group and list of parent group appears. Subgroups will be shown by clicking Subgroups subgroups button, subgroup will be created by Create and removed by Remove.

Creating group manager from VO member

Members of VO can get the right to manage group in VO and become group manager. Group manager can add or remove group members, create subgroups and assign them managers. Manager doesn't have to be member of VO. Number of managers is not limited.

Administration of managers can be also done by clicking button Managers managers in left menu in GUI. New manager will be added by Add button and removed by Remove button.

Adding VO members into group

Both VO manager and Group manager can add new members in a group. Member who want to be added in the group must be also member of VO containing the group. One member VO can be member of more than one group; therefore has an access to all resources available in all groups.

Because of a hierarchy of groups in the system, user must be member of parental group before he will be added in subgroup. Oppositely, Group manager must be member of parental VO, but he might be member of group.

Step by step tutorials

Managing an application form

Tutorial to create basic application form in VO/group.

Tutorial to approve application form in VO/group.

Creating rules to account extensions

If it is necessary to set attribute membershipExpirationRules for group, attribute can be added in Settings in group. Its items can be:

doNotAllowLoa - list of LoAs separated by comma, which won't be allowed in group (users can't become members).

period - time period to extend membership. It can be set as a fixed date (without year), e.g. 1. 2. or as a number of days/months/years with prefix "+"

that defines the time period that extends membership. Units are d = day, m = month, y = year, e.g. +128d extends account to 128 days. +6m, +1y.

doNotExtendLoa - list of LoAs separated by comma, that are not extensible.

gracePeriod - when a present date of initial application or extending request equals extension date minus gracePeriod then user account is extended to the next time period

(period date in next year). Value is in format number days/months/years. Units are d = day, m = month, y = year, e.g. 128d, 6m, 1y

periodLoa - an exception in period for given LoA. Format of value is: LoA|period[.]. LoA is given Loa number and period is in same format as a period.

The optional dot at the end means whether extend an account to the user with filled membershipExpiration or not. If a dot is present, the user with filled membershipExpiration is not allowed to extend an account.

More tasks

All taks are listed here.