Entering VO

There are two options how to enter VO in the Perun system.

User can be invited to one of the Virtual Organizations (VO) by getting an invitation for application. Second option is an automatical synchronization from the database of some external source (e.g. university database). As soon as the user is registered in some VO, he becomes a member, and his life cycle begins.

Life cycle

Open

1. The user enters the VO and becomes a member. His initial state in the VO is INCOMPLETE.

2. If attributes are set correctly and checked, the state is changed to ACTIVE. The member is now active in the VO.

3. The member in the ACTIVE state has access to services.

4. The VO manager can set the expiration date, and in this case, the member has to apply for extending his membership by email or extend it by himself. Otherwise, the account is switched to the EXPIRED state after the date of expiration. The member becomes inactive in the VO.

5. The member in the EXPIRED state can still have access to services. The service administrator must decide if he wants to give him this rights.

6. The expired member may apply for an extension of membership and become an active member in the ACTIVE state again.

7. The member isn't interested in renewing membership, he may be (manually or automatically) switched to the DISABLED, the final state in the VO. The system behaves to the user as if he isn't in the VO.

8. The member re-submits the application to VO, ACTIVE status is restored.

9. The member isn't interested in re-submitting membership, his data in the VO is removed, and the member doesn't exist anymore. If the user would be interested in becoming a member again, he/she must apply for membership.

Membership states

INCOMPLETE

This state is the initial state that every new VO member goes through. INCOMPLETE state doesn´t allow the member to access the services yet. This state should last only for a few seconds before the attributes are checked. In case of incorrect attributes settings, the state remains invalid (this is a unique situation) and relevant attribute/s has to be created. States can be changed by the VO manager or can be switched automatically due to the VO setting up.

ACTIVE

If all attributes are set correctly, the member enters ACTIVE state in the VO and he can access the services. It also depends on a type of access to a particular resource and it can take some minutes (hours) to become accessible for the member.

EXPIRED

Correctly set VO should have limited membership expiration time. The member has to request a membership renewal according to the established VO rules. Otherwise, the member is switched into EXPIRED (inactive) state after the date of expiration. In this case, the member can use only some selected services, but his attributes are constantly controlled. Once the member is in EXPIRED state, he can still request the renewal of the membership.

DISABLED

Members, who are not interested in renewing the membership, are switched to DISABLED state, and their access to all VO related services is rejected. Despite of that, the member still exists in the VO, can request the renewal of his membership, but his attributes are no longer checked. Last part of the life cycle can be removal of all member´s data in the VO context. If he/she would be interested in becoming a member again, he/she must repeatedly apply for a membership, and his life cycle will newly start from the INVALID state.

Information attribute

A member of any VO can be marked by the information attribute SUSPENDED (BAN). This attribute of membership tells us that the security incident has occurred, and there is a potential alert for the service. It is up to the service itself to block this user or not.

Life cycle in groups and subgroups

We can find a particular group called "members" in each VO. All VO members are automatically collected here, and it is an example of an authoritative group. The expiration in VO means expiration in "members" group and conversely.

The members of VO are often sorted into other groups and subgroups. This is better for the management of members and their access a services. Members can go through two states - VALID and EXPIRED.

VALID (ACTIVE)

The member of a VO enters the group after his membership request is approved or automatically by the synchronization. Valid membership is an initial state, the member is active in a group and can access the services.

EXPIRED

The group manager can set the expiration date, and in this case, the member has to apply for extending his membership by email or extend it by himself. Otherwise, the account is switched to the EXPIRED state after the date of expiration. The member becomes inactive in the group and can use only some selected services but his attributes are constantly controlled.