CERN Human Resources Registration
CERN requires everyone who is part of ATLAS or US ATLAS to be registered with CERN Human Resources (HR). Generally, it takes up to one week for CERN HR to process registrations. Because it is necessary to register before moving on to the next step for joining the ATLAS Virtual Organization (ATLAS VO), it is advised that users complete this step as soon as possible. For more information, refer to the ATLAS new registration page.
Check Registration Status
All users:
- Browse to the CERN Grey Book database.
- Select ATLAS as the Experiment, enter your Last name in Family Name and click Search.
- If you find yourself in the result, you already are registered with CERN.
- If you cannot find yourself in the result, you must register with CERN.
- Also, check the more recent CERN Phonebook or ATLAS GLANCE database to ensure you are not already listed.
To register with CERN (if necessary):
Your Team Leader must initiate a pre-registraton at https://atlas-secretariat.web.cern.ch/new-registration
At the time of writing this person is Srini Rajagopalan (srinir@bnl.gov).
Users will be contacted by the ATLAS Secretariat via email to confirm registration with further instructions to complete the registration.
- You will be sent a temporary password which will need to be changed
- You will need to provide some proof of identity (a copy of a passport or some other government issued ID) to be uploaded to a CERNBox link provided
- You will need to complete some specified online training classes within a period of time.
Register with ATLAS through Virtual Organization Management Service (VOMS)
Access to ATLAS grid resources is granted by joining the ATLAS VO. This is a three-step process accomplished entirely via the web using the VOMS service. Before proceeding, users must obtain a grid certificate and install it into their browser (Installing a Grid Certificate). If an organization does not provide or recommend a specific certificate authority (CA), users can request a certificate from the CERN Certification Authority.
All users:
- Be sure to use the same browser where you have imported your certificate as the registration page will require the certificate for authentication.
- Read the LCG Usage Rules (Grid Acceptable Use Policy).
- Install the CERN Grid Certificate Authority certificate into the browser. If you have not installed the CERN Grid Certificate Authority certificate into your browser, and choose not to, you may need to add an exception for the site to your browser's security settings in order to trust the site's certificate.
Register for the ATLAS VO
- Browse to the ATLAS IAM server.
Note that a user's personal certificate DN and Certificate Authority are noted on the registration page. If they are not, users must obtain a grid certificate and install it into their browser (Installing a Grid Certificate) before proceeding. - Complete all text fields:
- Given (first) name
- Family (last) name
- Institution
- Phone number (at your institution)
- Address (at your institution)
- Email address (this address must match your primary email address as registered with your CERN user account)
- Read The VO AUP agreement and click the check box to acknowledge and agree to the policy terms.
- Click Submit.
- Users will be presented with a "Confirmation Required" page, which refers to an email they will receive that will include a link to confirm registration request (or to cancel is a request was made in error). This link will remain valid for a one-week activation period. Please use this confirmation link before the expiration date, or the registration application will be discarded automatically.
- Following the confirmation link should result in a page that confirms the VO membership request, and informs the user that a VO administrator will handle the request as soon as possible.
- Users will receive another confirmation email when their request is confirmed. However, If a user receives an error message that the email address is not registered at CERN, she/he may need to wait a day or two after the registration has been confirmed so the information can be completely processed.
Request Group Membership and Specialized Roles
All users:
- Once a VO membership has been confirmed, browse to the ATLAS VO VOMS user page, scroll down to Your Groups and Roles, and ensure you have membership in the proper groups:
- /atlas (all ATLAS VO members need to be in this group, which should be automatically granted upon joining).
- /atlas/usatlas (only needed for US ATLAS group members. Members of other groups or clouds should request membership in their proper groups).
- Note that the /atlas/lcg1 VO group is no longer needed for ATLAS grid authorization. There is no need to request or apply for membership in the lcg1 VO group.
- If group membership is still required, choose the desired group from the drop-down list then click Request Membership. The group managers will review and either grant or reject the membership request.
- Specialized resource managers or production users also may require an additional role be assigned to their membership, such as software or production. Note: These roles are not necessary for most VO users, and requests for them are closely scrutinized by group managers and not granted needlessly. Before anyone can be granted such a role, she/he must have membership in the appropriate group.
- To request a role: in Your Groups and Roles, select the role from the pull-down menu next to the appropriate group name and click Request role. The group managers will review and either grant or reject the role request.
Current Issues
After a recent migration of the VOMRS service to the new VOMS Admin service, a few issues affect user registration and membership.
Nickname Mismatches
Some users' "nickname" attributes have been incorrectly assigned or lost. The nickname in VOMS must exactly match a user's CERN user account name. Otherwise, VOMS will not be able to perform user authentication. If a nickname is set incorrectly or not at all, the current procedure is to email the ATLAS VO Admin list to request a fix.
Primary Email Address Mismatches
Changing a CERN primary email address to anything but the original address, including any aliases, also causes a mismatch with VOMS records and will invalidate VO membership. If users have created their email alias and set it as the primary address for a CERN account, please modify the email address record in VOMS to match. If users are unable to change the email address in VOMS or doing so does not resolve this issue, the current procedure is to email the ATLAS VO Admin list to request a change in email address record such to match the CERN user account primary email.
Mismatched Name Records
Users may encounter strange messages when attempting to access the VOMS Admin service, referring to a missing ID in the session or being flagged inappropriately without a VO membership. The most common cause for this issue is a mismatch in a user's full name between the CERN user account record and VOMS. This is most commonly caused when part of the full name, such as a middle name or suffix, has been lost in the VOMS record. If a user suspects a similar name record mismatch, the current procedure is to open a CERN Service Now ticket with the VOMS service and request restoration of the name record so it matches the CERN user account's full name.
Adding Certificates
If a certificate has changed or a new CA has issued a certificate, users may need to add their new certificate to their existing VO membership. Refer to How to Add Certificates to a VO Membership for the appropriate instructions.
Next Steps
Once approved as a member of the ATLAS VO, users can install your grid certificate and begin using grid software. Note: There may be up to 24 hours of lag between final approval and the point at which all ATLAS sites worldwide will recognize a user's credentials.
Users should visit User Guide for Grid Resources to help set up an environment and create a grid proxy.
Troubleshooting and FAQ
For more information about using grid certificates, VO membership, VOMS, and troubleshooting, please refer to this FAQ.