Restricting access to the service
The AAI provides advanced functionality to restrict access to the service based on some specified rules. One of these rules can be a requirement of membership in at least one of the specified organizational units (groups). Following is the description of setting up such a requirement.
In general, you have to take these steps:
Create organizational units (see How to create a group)
Assign users to the units
Create links (see How to create a resource)
Configure units to gain access to the service (see How to assign groups)
Update service configuration (see Enable membership check)
In the following descriptions, some words might appear you can be unfamiliar with
Facility - representation of the service in the AAI
organization / virtual organization - an organizational unit that is on the top of the hierarchy, contains groups
group - organisational unit, can be nested under an organisation as well as under a group, contains users
resource - link between the group and facility
How to create a group
Open the link https://perun.aai.cesnet.cz/ and log in with your AAI account.
Click the button “Access management” in the side navigation. You will be presented with a table containing organizations. You can select the organization you wish to use. If you do not have any, you can use entry with the short_name einfra or name CESNET e-infrastruktura.
From the overview, click the “Groups” tile. You will see a list of the groups. This page also contains a button “Create”. Click it and you will be presented with a dialogue for creating a new group.
Fill in the name and description. Then submit the dialogue.
Your group is ready to be used. You can add new managers, users, set up an application form…
How to create a resource
Open the link https://perun.aai.cesnet.cz/ and log in with your AAI account.
Click the button “Facility management” in the side navigation. You will be presented with a table containing facilities. Select the facility representing the service you wish to configure.
Click “Resources” tile. Now you should see a list of resources that are created for this facility. This page also contains a button “Create”. Click it and you will be presented with a dialogue for creating the resource.
Fill in the name, description and select which organization the resource is for.
Your resource is created and is ready to be linked with groups.
How to assign groups
Please select the process according to your role. Choose one of the options:
I am a group/VO manager
Open the link https://perun.aai.cesnet.cz/ and log in with your AAI account.
Click the button “Facility management” in the side navigation. You will be presented with a table containing facilities. Select the facility representing the service you wish to configure.
Click on the “Resources” tile. You will now see all the resources associated with your service.
In the “Assigned groups” you can manage what groups are associated with this resource.
Click on the “Add” button and select what groups should be associated with this resource.
I am not a group/VO manager
Please notify the relevant facility manager to contact the VO manager.
I don´t know my role
Please contact the support team at login@cesnet.cz.
Enable membership check
In the SPReg application (https://spreg.aai.cesnet.cz/spreg/ ) navigate to the detail of your service.
Click on the “Modify settings button”.
Under the “Access control” category, enable the “Check group membership” option
You can also enable “Allow registrations to the service”. This will trigger behavior, that if the user is not allowed to access the service, he/she will be offered to register to gain access. Registration can be configured via the two options following.
- If you fill in the registration URL, users will be redirected to this specified URL.
- If you select “Delegate registration to the AAI” option, user will be offered to register into the groups assigned to the resources of the service (facility). Please note that only the groupswith application form configured will be used. If no such group exists, users will be redirected to a page stating they are not authorized to access the service.
Submit the form. AAI operators will review your request. After it is approved, configuration will be reflected in the service settings and access will be restricted.
Support: perun@cesnet.cz