Under construction
A. Generic
- Which Research Infrastructure (RI) are you representing?
- Which type of science are you serving ? (Frascati manual of Fields of Research and Development (FORD)) (can we compile a list!?)
- Please provide description about the research infrastructure (e.g. which kind of instrastructure and related services are delivered and by whoom, is there a formalised collaboration etc.)
Would it help to provide options for the service types? E.g. Please select the most appropriate service types for services in your RI:
a. Browser Accessible Service: A service that provides a web interface that can be accessed by users using their browsers (e.g. A research data visualisation tool accessible through a web browser).b. API Consumed by or on behalf of Users: A service that provides an API that can be consumed programmatically by the end users or by other services using user-delegated credentials. (e.g. A data analysis API allowing researchers to programmatically retrieve and analyse datasets).
c. API Consumed by Services: A service that provides an API meant to be consumed by other services. These services do not act on behalf of the user but have their own access rights to the API (e.g. A workflow management system might offer an API for other services to submit data jobs, monitor progress, and retrieve results.).
d. Client consuming Service APIs using delegated user identities: A client that uses access tokens authorised/delegated by end users and which can use these access tokens to access “APIs Consumed by or on behalf of Users” (e.g. A research collaboration platform might offer an API for data analysis tools. Researchers can authorise these tools to access their research data stored on the platform using delegated access tokens).
e. Client consuming other Service APIs using its own client identity: A client that uses its own identity and access token to access “APIs Consumed by Services” (e.g. A tool accessing a storage service API using its own client credentials to transfer data).
f. Public Access: A service that does not require users to be authenticated and authorised before they can access its resources (e.g. A public dataset repository where anyone can access datasets without needing to log in). - two sides to this question: on ingress of data into a data source, and on egress, which may be un-authenticated. Does your infra need to distinguish between these two cases?
- Please provide description of the user audience (e.g. number of users, distribution over the globe and organisations)
- Would it make sense to also ask for the specific authentication methods being used (e.g Institutional accounts (eduGAIN), ORCID, Social media, Others - please specify)
- Do you (also) cater for users from the citizen scientists or industry users?
- Is the RI member of European Open Science Cloud (EOSC)?
- Is the RI participating in Citizen Science Programmes or other initiatives or programmes?
B. AAI solution
Describe the currently running solution for authentication and authorisation infrastructure (AAI).
- Is your AAI solution compliant to AARC BPA (blueprint architecture)?
- Which AARC guidelines are you implementing? (add the table... )
- YES / NO - Guidelines for expressing community user identifiers (AARC-G026)
- YES / NO - Guidelines on expressing group membership and role information (AARC-G002) (superseded by AARC-G069)
- YES / NO - Guidelines on expressing group membership and role information (AARC-G069)
- YES / NO - Specification for expressing resource capabilities (AARC-G027)
- YES / NO - Guidelines for expressing affiliation information (AARC-G025)
- YES / NO - Inferring and constructing voPersonExternalAffiliation (AARC-G057)
- YES / NO - Exchange of specific assurance information between Infrastructure (AARC-G021)
- YES / NO - Guidelines for evaluating the combined assurance of linked identities (AARC-G031)
- YES / NO - A specification for IdP hinting (AARC-G049) (superseded by AARC-G061)
- YES / NO - A specification for IdP hinting (AARC-G061)
- YES / NO - Specification for hinting an IdP which discovery service to use (AARC-G062)
- YES / NO - A specification for providing information about an end service (AARC-G063)
- YES / NO - Guidelines for Secure Operation of Attribute Authorities (AARC-G071)
C. Policy for access management
- Does the Research Infrastructures have an access policy? (the access policy governs who can access the infrastructure, under what conditions)
- Is there a formalised procedure to manage access rights to services (e.g. cooperation agreement, call for application and evaluation, ad-hoc individual order/access, member of an organisation, etc.)?
- How do you implement the policy for access management (e.g. how is the individual who can access the research research data/measurement data/your research instrument identified and authorised)?
- Would it help to provide options for the information required by the AAI to authorise access? Please select any of the following options that apply: (a) Based on the user's membership in group(s)? If YES, do these groups need to be managed within your RI or within external RIs? (b) Based on user capabilities defining specific resources a user is allowed to access or perform certain actions? If YES, do these capabilities need to be managed within your RI or within external RIs? (c) Based on affiliation of the user with their home institute? (d) Based on identity assurance (e.g. level of identity proofing, freshness of affiliation information), (e) Based on the authentication method (e.g. Multi-Factor Authentication - MFA), (f) Other?
- What are the requirements for identification of the users (e.g. required information, LoA, authentication method)?
Would it help to provide options for the information required by the AAI to identify the user? Please select any of the following options that apply: e.g. (a) Globally unique persistent identifier, (b) Name (First / Last name), (c) Email, (d) Affiliation with the home institute, (e) Identity assurance (e.g. level of identity proofing, freshness of affiliation information), (f) Other)
D. Workflow
1. Can you describe the research workflow?
Based on the workflow we could ask sub-quesions such as:
- Are the research data and databases of the Research Infrastructure accessible
- yes, they are continuously accessible both inside and outside the institution
- yes, they are continuously accessible from within the institution
- Accessible to others on a case-by-case basis
- Not accessible to others
- During the access of the Research Infrastructure which method is used (more than one option can be marked):
- Providing measurement/database access based on research collaboration
- Provision of measurement/database access for based on a contract
- Measurements/database access with customer/requester access
- Taking measurements/database access by providing online/remote access
- Measurements/database access with data processing and evaluation
- Other: (describe)
- We could consider the following questions to understand if their AAI acts as a Community AAI, Infrastructure Proxy or both (alternatively these questions could be moved to Section B - AAI solution):
- Do users of your Research Infrastructure access services provided by other Infrastructures using your AAI? If yes, can you describe? (Please also mention your future plans in this area)
Do users of other infrastructures access services provided by your Research Infrastructure using your AAI? If yes, can you describe? (Please also mention your future plans in this area.)
E. Requirements
- Can you describe further requirements, gaps and challenges?
As we collect the answers, we will try to identify common requirements. We can use the EOSC AAI requirements as basis for this:
- Stronger Authentication Methods → Is the requirement to have stronger authentication methods in general, or is it specifically for accessing sensitive data? Stronger authentication methods could be employed to support the requirement for access to sensitive data.
- Develop a policy requiring the community participants to provide a centralised point for managing data release decisionas
- Support for EU Digital Identity Wallets (EUDI Wallet)
- Better user experience for authentication process
- Scalable solution limiting the number of consent requests in compliance with the GDPR
- Develop a sustainable solution for managing (de)provisioning rules in the locally deployed solutions of participating entities and transferring them through EOSC AAI to the end-service integration point. (Manage locally and transfer them through the whole flow)
- Dynamically establishing trust in a distributed environment
- Provide solutions for an identity beyond the research and education community in support of public sector and private sector services.
- Scalable authorization model in EOSC AAI
- Identity Vetting
What about Policy related questions, e.g.:
- Is there a GDPR Data Controller designated for the AAI?
- Has the AAI designated a security contact to handle security incidents?
- Does the AAI adhere to SIRTFI or other recognised security frameworks?