...
- Which Research Infrastructure (RI) are you representing?
- Which field of science are you serving ? (Frascati manual of Fields of Research and Development (FORD)) (can we compile a list!?)
- Please provide description about the research infrastructure (e.g. which kind of instrastructure and related services are delivered and by whoom, is there a formalised collaboration etc.)
Would it help to provide options for the service types? E.g. Please select the most appropriate service types for services in your RI:
a. Browser Accessible Service: A service that provides a web interface that can be accessed by users using their browsers (e.g. A research data visualisation tool accessible through a web browser).b. API Consumed by or on behalf of Users: A service that provides an API that can be consumed programmatically by the end users or by other services using user-delegated credentials. (e.g. A data analysis API allowing researchers to programmatically retrieve and analyse datasets).
c. API Consumed by Services: A service that provides an API meant to be consumed by other services. These services do not act on behalf of the user but have their own access rights to the API (e.g. A workflow management system might offer an API for other services to submit data jobs, monitor progress, and retrieve results.).
d. Client consuming Service APIs using delegated user identities: A client that uses access tokens authorised/delegated by end users and which can use these access tokens to access “APIs Consumed by or on behalf of Users” (e.g. A research collaboration platform might offer an API for data analysis tools. Researchers can authorise these tools to access their research data stored on the platform using delegated access tokens).
e. Client consuming other Service APIs using its own client identity: A client that uses its own identity and access token to access “APIs Consumed by Services” (e.g. A tool accessing a storage service API using its own client credentials to transfer data).
f. Public Access: A service that does not require users to be authenticated and authorised before they can access its resources (e.g. A public dataset repository where anyone can access datasets without needing to log in). - two sides to this question: on ingress of data into a data source, and on egress, which may be un-authenticated. Does your infra need to distinguish between these two cases?
- Please provide description of the user audience - type of users (research, citizen scientists, industry users), number of users, distribution over the globe and organisations
Would it make sense to also ask for the specific authentication methods being used (e.g Institutional accounts (eduGAIN), ORCID, Social media, Others - please specify) - Is the RI member of European Open Science Cloud (EOSC)?
- Is the RI participating in Citizen Science Programmes or other initiatives or programmes?
...
Describe the currently running solution for authentication and authorisation infrastructure (AAI).( Which specific authentication methods being used to cater for different user audience (e.g Institutional accounts (eduGAIN), ORCID, Social media, Others - please specify))
- Is your AAI solution compliant to AARC BPA (blueprint architecture)?
- Which AARC guidelines are you implementing? (add the table... )
- What is your comments about BPA implementation? (challenges in implementation, challenges in clarity, technical difficulties etc.)
(introduction material needed to present BPA and the guidelines)
- YES / NO - Guidelines for expressing community user identifiers (AARC-G026)
- YES / NO - Guidelines on expressing group membership and role information (AARC-G002) (superseded by AARC-G069)
- YES / NO - Guidelines on expressing group membership and role information (AARC-G069)
- YES / NO - Specification for expressing resource capabilities (AARC-G027)
- YES / NO - Guidelines for expressing affiliation information (AARC-G025)
- YES / NO - Inferring and constructing voPersonExternalAffiliation (AARC-G057)
- YES / NO - Exchange of specific assurance information between Infrastructure (AARC-G021)
- YES / NO - Guidelines for evaluating the combined assurance of linked identities (AARC-G031)
- YES / NO - A specification for IdP hinting (AARC-G049) (superseded by AARC-G061)
- YES / NO - A specification for IdP hinting (AARC-G061)
- YES / NO - Specification for hinting an IdP which discovery service to use (AARC-G062)
- YES / NO - A specification for providing information about an end service (AARC-G063)
- YES / NO - Guidelines for Secure Operation of Attribute Authorities (AARC-G071)
...
- Does the Research Infrastructures have an access policy? (the access policy governs who can access the infrastructure, under what conditions)
- Is there a formalised procedure to manage access rights to services (e.g. cooperation agreement, call for application and evaluation, ad-hoc individual order/access, member of an organisation, etc.)?
- How do you implement the policy for access management (e.g. how is the individual who can access the research research data/measurement data/your research instrument identified and authorised)?
- Would it help to provide options for the information required by the AAI to authorise access? Please select any of the following options that apply : (try first without asking the list)
- (a) Based on the user's membership in group(s)
- . If YES, do these groups need to be managed within your RI or within external RIs?
- (b) Based on user
- attributes required to access specific resources a user is allowed to access or perform certain actions
- . If YES, do these capabilities need to be managed within your RI or within external RIs? - ask Nicolas for the example ? e.g ESI?
- (c) Based on affiliation of the user with their home institute
- (d) Based on identity assurance (e.g. level of identity proofing, freshness of affiliation information),
- (e) Based on the authentication method (e.g. Multi-Factor Authentication - MFA),
- (f) Other?
- Would it help to provide options for the information required by the AAI to authorise access? Please select any of the following options that apply : (try first without asking the list)
- What are the requirements for identification of the users (e.g. required information, LoA, authentication method)?
Would it help to provide options for the information required by the AAI to identify the user? Please select any of the following options that apply: e.g. (
a) Globally unique persistent identifier,
(b) Name (First / Last name),
(c) Email,
(d) Affiliation with the home institute,
(e) Identity assurance (e.g. level of identity proofing, freshness of affiliation information),
- (f) Authentication method (e.g. Multi-Factor Authentication - MFA),
(g) Other
D. Workflow
1. Can you describe the research workflows?
(consider 2 aspects: producer side and consumer side)
(guidance only - currentlz a bit technical)
Would it help to provide options for the service types? E.g. Please select the most appropriate service types for services in your RI:
a. Browser Accessible Service: A service that provides a web interface that can be accessed by users using their browsers (e.g. A research data visualisation tool accessible through a web browser).b. API Consumed by or on behalf of Users: A service that provides an API that can be consumed programmatically by the end users or by other services using user-delegated credentials. (e.g. A data analysis API allowing researchers to programmatically retrieve and analyse datasets).
c. API Consumed by Services: A service that provides an API meant to be consumed by other services. These services do not act on behalf of the user but have their own access rights to the API (e.g. A workflow management system might offer an API for other services to submit data jobs, monitor progress, and retrieve results.).
d. Client consuming Service APIs using delegated user identities: A client that uses access tokens authorised/delegated by end users and which can use these access tokens to access “APIs Consumed by or on behalf of Users” (e.g. A research collaboration platform might offer an API for data analysis tools. Researchers can authorise these tools to access their research data stored on the platform using delegated access tokens).
e. Client consuming other Service APIs using its own client identity: A client that uses its own identity and access token to access “APIs Consumed by Services” (e.g. A tool accessing a storage service API using its own client credentials to transfer data).
f. Public Access: A service that does not require users to be authenticated and authorised before they can access its resources (e.g. A public dataset repository where anyone can access datasets without needing to log in). - two sides to this question: on ingress of data into a data source, and on egress, which may be un-authenticated. Does your infra need to distinguish between these two cases?
Based on the workflow we could ask sub-quesions such as:
...