Page Comparison

...

The specific format of these entitlements depends on their issuer.

Group entitlements

ProxyIdP releases entitlements also based on group membership and groups assigned to the service in Perun IDM. For convenience, ProxyIdP will release an entitlement value for each group that the user is a member of if that group is assigned to a resource on the facility that represents this service.

...

Group entitlements are configured in the Perun IDM. Groups need to be assigned to a resource on the corresponding facility, and ProxyIdP will start releasing related group entitlements automatically (when requested or required by the service).

For example, in this setup:

...

the group entitlements released by the ProxyIdP for the current user and facility are:

• <NAMESPACE>:group:VO1:Group%20C#<AUTHORITY>

• <NAMESPACE>:group:VO2:Group%20D#<AUTHORITY>

Resource capabilities

To prevent access control from breaking when groups are renamed or moved in the group hierarchy, we highly recommend using entitlements in the form of resource capabilities. This form of entitlement effectively represents an M:N mapping of groups to entitlement values; multiple groups may be mapped to the same capability, and also one group may grant users multiple capabilities.

The procedure for generating these entitlements is described in the official specification https://doizenodo.org/10.5281records/zenodo.2247446 . The format of each value is:

...

For convenience, if all resources should grant the same capability, instead of adding it to all individual resources, you may set facility attribute Facility capabilities to this value. Users in all groups on all resources will be granted this capability.

For example, in this setup:

...

the resource capabilities released by the ProxyIdP for the current user and facility are:

• <NAMESPACE>:res:admin#<AUTHORITY>

• <NAMESPACE>:res:events:write#<AUTHORITY>

Group entitlements are also released in this case, see the other example (above).