scieee Science in your language
[en] (orig)

IAM4NFDI Deliverable 1.4 - Initial Concept for Rights and Roles Management

Author: Apweiler, Sander; Bonn, Matthias; Hübner, David; Michels, Thorsten; Pempe, Wolfgang
Publisher: Zenodo
DOI: 10.5281/zenodo.17249586
Source: https://zenodo.org/records/17249586/files/iam4nfdi_d1.4_initial_concept_for_rights_and_roles_managament.pdf
1
IAM4NFDI Deli e able 1.4
Ini ial Concep o Righ s and Roles
Managemen
A sho guide o Vi ual O ganisa ion Managemen
wi hin he NFDI-AAI
Ve sion 1, Oc obe 2025
Au ho s: Sande Apweile
1
, Ma hias Bonn
2
, Da id Hübne
3
, Tho s en
Michels
4
, Wol gang Pempe
5
Funded by DFG as pa o NFDI, G an Numbe : 521453681
In oduc ion
This documen is in ended as a concise in oduc ion o he a ious aspec s o Vi ual
O ganisa ion Managemen in NFDI-AAI. I b ings oge he he ele an in o ma ion om he
NFDI-AAI Policy F amewo k and p o ides a quick o e iew o he basic p inciples and key
equi emen s ha mus be aken in o accoun when implemen ing and ope a ing a Vi ual
O ganisa ion (VO). I does no elease he ope a o s o a VO om he necessi y o eading
he o iginal documen s, c . [IAM-Policies].
Technical Backg ound and Te minology
Fo he echnical concep unde lying he NFDI-AAI and he associa ed echnical e ms, see
[IAM-A chi ec u e].
Wha is a Vi ual O ganisa ion (VO)?
A Vi ual O ganisa ion is a g oup o one o mo e use s, no necessa ily bound o a single
ins i u ion, o ganised wi h a common pu pose, join ly g an ed access o one o mo e
se ices. In many cases, a Vi ual O ganisa ion uni es he use s o a speci ic esea ch
1
Fo schungszen um Jülich
2
Ka ls uhe Ins i u e o Technology
3
DAASI In e na ional GmbH
4
RPTU Kaise slau e n-Landau
5
DFN-Ve ein
2
communi y ep esen ed by one o he NFDI conso ia. I may se e as an en i y which ac s as
he in e ace be ween he indi idual Use s and an in as uc u e like he NFDI and he NFDI-
AAI as pa o i . In gene al, he membe s o he Vi ual O ganisa ion will no need o
sepa a ely nego ia e access wi h Se ice P o ide s. A use can be a membe o mul iple
Vi ual O ganisa ions. The Vi ual O ganisa ion mus de ine, in i s Accep able Use Policy
(AUP), i s collec i e aims and pu poses, i.e., he esea ch o schola ship goals o he Vi ual
O ganisa ion. In o de o allow In as uc u es o make decisions on esou ce alloca ion, he
Vi ual O ganisa ion should make his in o ma ion a ailable o hem, and subsequen ly in o m
hem o any ma e ial changes he ein [VOMMP]. The Basic Se ice IAM p o ides empla es
o AUPs [IAM-Templa es]. The AUP o he VO mus e e o he AUP o he espec i e
Communi y AAI (see nex sec ion), which allows he VO-AUP o emain e y concise and
ocus on essen ial in o ma ion.
How does i wo k echnically?
The echnical amewo k o VO managemen is p o ided by a so-called Communi y AAI
(Au hen ica ion and Au ho isa ion In as uc u e). Following he AARC Bluep in A chi ec u e
[AARC-BPA], i b ings oge he use iden i ies, communi y a ibu e se ices, au ho isa ion,
access p o ocol ansla ion and, inally, communi y-speci ic end-se ices. In his espec , a
Communi y AAI o his kind p o ides all he ools needed o manage a Vi ual O ganisa ion,
pa icula ly wi h ega d o igh s and ole managemen , and he esul ing access ules o
communi y se ices. De ails on how a VO can be olled ou in a Communi y AAI can be
ound in he IAM4NFDI Se ice Onboa ding Handbook [IAM4NFDI-Se iceOnboa ding].
How is a Vi ual O ganisa ion o ganised?
The Vi ual O ganisa ion mus de ine a Vi ual O ganisa ion Managemen ole and assign his
ole o wo o mo e indi iduals. The Vi ual O ganisa ion Managemen ole should be
pe o med by indi iduals who can au hen ica e ia an Iden i y P o ide ha is connec ed o o
pa o he NFDI-AAI, bu local admin accoun s a he espec i e Communi y AAIs can also
be an op ion. The Vi ual O ganisa ion Managemen is esponsible o mee ing he
equi emen s o he applicable policies o he In as uc u es, and o implemen ing he
necessa y p ocedu es and ope a ional equi emen s.
The Vi ual O ganisa ion Managemen does no necessa ily ha e o be a membe o he
Vi ual O ganisa ion. The ole may be delega ed o any indi idual by he Vi ual O ganisa ion,
including In as uc u e pe sonnel.
The Vi ual O ganisa ion Managemen is esponsible o egis e ing he Vi ual O ganisa ion
wi h he In as uc u e, i.e. he NFDI. The conc e e s eps and he equi emen s o his
p ocedu e a e ou lined in he VO Li ecycle Policy [VOLi ecycle].
The Vi ual O ganisa ion Managemen mus implemen p ocedu es ha ensu e he accu acy
o indi idual Use Regis a ion Da a o all Vi ual O ganisa ion membe s who ac as
esponsible pe sons owa ds he In as uc u e. The con ac in o ma ion mus be e i ied bo h
a ini ial collec ion/ egis a ion and on an ongoing basis, and only s o ed and p ocessed in
compliance wi h applicable Da a P o ec ion legisla ion. O he Vi ual O ganisa ion oles, such
3
as addi ional managemen pe sonnel and secu i y con ac s mus be de ined and assigned o
indi iduals as equi ed by he In as uc u e [VOMMP]. Changes in hese oles mus be
communica ed p omp ly.
Use Managemen
The Vi ual O ganisa ion Managemen is esponsible o he Vi ual O ganisa ion
Membe ship li e cycle p ocess o i s Use s. This esponsibili y may be de ol ed o
designa ed pe sonnel in he Vi ual O ganisa ion o in he In as uc u e, and hei us ed
agen s such as Ins i u e Rep esen a i es o Se ice Manage s.
The VO’s membe ship li ecycle comp ises he ollowing aspec s and ela ed p ocesses:
• Regis a ion
• Assignmen o A ibu es
• Changes o Assu ance Le els
• Renewal
• Suspension
• Te mina ion
The indi idual poin s a e desc ibed in de ail in he Vi ual O ganisa ion Membe ship
Managemen Policy [VOMMP]. The (pe sonal) da a collec ed and s o ed abou a use mus
comply wi h he In as uc u e A ibu e P o ile [IAP].
Access Managemen - Au ho isa ion
As men ioned a he beginning, he main pu pose o a VO is o o ganise and manage access
o communi y se ices o i s use s/membe s. As pa o he Use Managemen , use s a e
assigned o speci ic g oups (o oles). Depending on he g anula i y o access managemen ,
me e membe ship o a VO may be su icien o au ho ise access o a speci ic se ice;
o he wise, his is done on he basis o addi ional g oup membe ships o sub-VOs.
This membe ship in o ma ion is ansmi ed o a se ice ia he en i lemen s claim (o he
co esponding SAML a ibu e) acco ding o a well-de ined syn ax. Use s can be o ganised in
hie a chical g oups (i.e. VOs and sub-VOs). Each g oup membe ship claim (o a ibu e)
alue ep esen s a pa icula posi ion o he use wi hin a VO. A use may be a membe o
hold mo e speci ic oles wi hin a VO. G oups a e o ganised in a ee s uc u e, meaning ha
a g oup may ha e subg oups, which in u n may ha e subg oups, e c.This hie a chical
s uc u e implies ha i someone is a membe o a subg oup, hen hey a e also a membe o
he pa en g oup. Fo de ailed in o ma ion, please e e o he AARC Guidelines o
exp essing g oup membe ship and ole in o ma ion, AARC-G069 [AARC-G069].
Example:
"u n:gean :d n.de:n di.de:<conso ium>:g oup:< o-name>:<sub- o>"
4
Ano he app oach is o he VO o make speci ic s a emen s abou wha a use may do, e.g.
whe he o no o s a VMs, o which da ase s may be accessed. In his case, we alk abou
Resou ce Capabili ies. This in o ma ion is also ansmi ed ia he en i lemen s claim, bu
hen using he es and ac keywo ds - see AARC-G027 [AARC-G027].
Example:
"u n:gean :d n.de:n di.de:<conso ium>: es:an -da ase -42:ac : ead",
"u n:gean :d n.de:n di.de:<conso ium>: es: m_xyz:ac :s a - m"
In addi ion o his in o ma ion managed by he VO, an au ho isa ion decision may include
da a p o ided by ex e nal sou ces like an Iden i y P o ide o a Home O ganisa ion (Home
IdP) o an iden i y p oxy such as he DFN edu-ID Po al. In his con ex , usually h ee ypes o
in o ma ion a e ele an :
• The a ilia ion o a speci ic Home O ganisa ion (uni e si y, esea ch cen e) and i s
ype, e.g. s uden , s a , acul y...
• Iden i y assu ance, i.e. he in o ma ion on how eliable a digi al iden i y is, how he
iden i y e ing p ocess by he Home O ganisa ion is o ganised, e c. The REFEDS
Assu ance F amewo k has become he s anda d he e and is widely accep ed
nowadays [REFEDS-Assu ance].
• Au hen ica ion con ex , i.e. in o ma ion abou how a use was au hen ica ed, e.g.
ia use name and passwo d, ia WebAu hn, and whe he a second ac o was used.
As o he la e , a Communi y AAI could also p o ide a s ep-up au hen ica ion se ice
o use s ha come wi h a single- ac o au hen ica ion con ex om hei Home IdP.
In he end, i is up o he espec i e se ice ope a o o decide, oge he wi h he VO, which
in o ma ion and ac o s a e equi ed o au ho isa ion. I is s ongly ecommended o keep
his as simple as possible and ideally based on g oup membe ships.
Fu he Aspec s o VO Managemen
Apa om he use and access managemen , he e a e some addi ional aspec s o conside
when ope a ing a VO ( o a de ailed desc ip ion, please e e o he Vi ual O ganisa ion
Membe ship Managemen Policy [VOMMP]).
P ocessing o Pe sonal Da a and Da a P o ec ion
The Vi ual O ganisa ion mus ha e policies and p ocedu es add essing he p o ec ion o he
p i acy o indi idual use s wi h ega d o he p ocessing o hei Pe sonal Da a collec ed as a
esul o hei membe ship in he VO and o hei access o se ices made a ailable by he
VO. These policies mus be made a ailable in a isible and easily accessible way and use s
mus explici ly acknowledge accep ance o hese policies h ough he AUP and egis a ion
p ocess.
Audi Log and T aceabili y
The Vi ual O ganisa ion mus eco d and main ain an audi log o all membe ship li ecycle
ansac ions (see abo e, Use Managemen ). A he echnical le el, his is usually handled by
he espec i e Communi y AAI implemen a ion. This audi log mus be kep o a minimum
5
pe iod consis en wi h he aceabili y and logging policies o all in as uc u es ha p o ide
se ices o he VO.
Regis y and Regis a ion Da a
The Vi ual O ganisa ion mus ope a e, o ha e ope a ed on i s behal , a egis y ha
con ains he membe ship da a o he VO. This egis y mus be ope a ed in a secu e and
us wo hy manne and in compliance wi h he secu i y equi emen s o he VO and he NFDI
in e ms o au hen ica ion, au ho isa ion, access con ol, physical and ne wo k secu i y,
secu i y ulne abili y handling and secu i y inciden handling. As o he la e , he VO mus
comply wi h he Secu i y Inciden Response P ocedu e Policy [SIRP], which is based on he
widely-accep ed Secu i y Inciden Response T us F amewo k o Fede a ed Iden i y (Si i)
[SIRTFI].
Fo mal Requi emen s
F om he poin s discussed abo e and he unde lying policies he ollowing o mal
equi emen s can be de i ed ha need o be aken in o accoun o a Vi ual O ganisa ion:
☐ P o ide an Accep able Use Policy o he Vi ual O ganisa ion, including
• A e e ence o he AUP o he espec i e Communi y AAI (see Appendix)
• The email add esses o he VO Manage s
(An AUP empla e is a ailable a [IAM-Templa es])
☐ P o ide a P i acy S a emen o he VO, including
• Con ac da a (a leas email add ess) o da a p o ec ion issues, da a p o ec ion o ice
o he like
(P i acy S a emen Templa es in bo h Ge man and English a e a ailable a [IAM-
Templa es])
☐ Check he VO Li ecycle Policy (a ailable a [IAM-Templa es]) and p o ide
• Con ac da a o VO Manage s and
• A secu i y con ac (inciden esponse)
Please no e: A he ime o w i ing his documen (Augus 2025), he ole o an NFDI
VO Supe iso is no assigned ye . Please send he VO egis a ion da a o
aai-helpdesk@lis s.n di.de. The IAM p ojec eam will keep his in o ma ion and pass
i o he ele an pe son(s) as soon as he go e nance concep o he NFDI-AAI is
ully implemen ed.

6
Bibliog aphy
[AARC-BPA] AARC Bluep in A chi ec u e, h ps://aa c-communi y.o g/a chi ec u e/
[AARC-G027] AARC Conso ium Pa ne s, & AppIn membe s. (2018). Speci ica ion o
exp essing esou ce capabili ies (AARC-G027). Zenodo.
h ps://doi.o g/10.5281/zenodo.2247446
[AARC-G069] Vale ia A dizzone, Dominik F an išek Bučík, Ma cus Ha d , S e an Helme ,
Jens Jensen, I an Kanaka akis, Ch is os Kanellopoulos, Nicolas Liampo is, Mikael Linden, &
Mischa Sallé. (2022). Guidelines o exp essing g oup membe ship and ole in o ma ion
(AARC-G069). Zenodo. h ps://doi.o g/10.5281/zenodo.6533400
[IAM-A chi ec u e] NFDI-AAI A chi ec u e, h ps://doc.n di-aai.de/a chi ec u e/
[IAM4NFDI-Se iceOnboa ding] Pempe, W., Gie z, P., Michels, T., Bonn, M., Hübne , D.,
Apweile , S., Ha d , M., & Wong, S.-L. (2025). IAM4NFDI Se ice Onboa ding Handbook.
Zenodo. h ps://doi.o g/10.5281/zenodo.15629651
[IAM-Policies] IAM4NFDI Policy F amewo k, h ps://doc.n di-aai.de/policies/
[IAM-Templa es] IAM4NFDI Policy F amewo k, Policy Templa es a h ps://doc.n di-
aai.de/policies/#n di-policy- empla es
[IAP] IAM4NFDI, In as uc u e A ibu e Policy ( 0.9.4), h ps://doc.n di-aai.de/policies/#n di-
policies
[REFEDS-Assu ance] REFEDS Assu ance F amewo k e sion 2.0,
h ps:// e eds.o g/assu ance
[SIRP], IAM4NFDI, Secu i y Inciden Response P ocedu e ( 0.9.4), h ps://doc.n di-
aai.de/policies/#n di-policies
[SIRTFI] Secu i y Inciden Response T us F amewo k o Fede a ed Iden i y (Si i),
h ps:// e eds.o g/si i
[VOLi ecycle] IAM4NFDI, Vi ual O ganisa ion Li ecycle Policy ( 0.9.4),
h ps://codebase.helmhol z.cloud/m- eam/n di/n di-policies/-/jobs/a i ac s/ 0.9.4/ aw/91_VO-
li ecycle.pd ?job=build-docs
[VOMMP] IAM4NFDI, Vi ual O ganisa ion Membe ship Managemen Policy ( 0.9.4),
h ps://codebase.helmhol z.cloud/m- eam/n di/n di-policies/-
/jobs/a i ac s/ 0.9.4/ aw/01_CAAI-VOMMP.pd ?job=build-docs
7
Appendix: Communi y AAI AUPs
Academic ID and Academic Cloud
• h ps://academiccloud.de/ e ms-o -use/
didmos CAAI
• h ps://docs.didmos.n di-aai.de/policy/caai-aup-en.h ml
NFDI RegApp Communi y AAI
• h ps://www.isb.ki .edu/english/138.php
Uni y / Helmhol z AAI / Punch AAI
• h ps://login.helmhol z.de/uni ygw/hi is/ iles/accep able-use-policy.h ml