By John Steven De… | Fri, 05/07/2021 - 12:08

Prior to approval, any new requests for Virtual Organization (VO) membership should be verified for existing CERN accounts to prevent creating duplicate memberships.

This procedure is intended only for VO administrators. It may be useful to open multiple browser windows for each of the necessary sites (VOMS Admin, CERN Accounts, etc.).

Approving VO Membership Requests

  1. Browse to the VOMS Admin interface.
  2. Check the VO membership requests for any outstanding requests.
  3. Verify that the requestor does not have an existing membership:
    • Copy (or memorize) the requestor's email address or family name.
    • In the top navigation bar under Browse, click Users.
    • Under Users, paste (or type) the requestor's email address or family name and click Search Users.
  • If a membership exists, the new request should be merged with the existing membership record.
  • If a membership does not exist, click the [Display another user] link on the CERN Accounts Management page (requires login to CERN via a NICE SSO account) and search for the user's email address or family name.
     
  • If the user has multiple accounts, obtain the user name from her/his ATLAS account or the 'zp' user group.
  • If a membership record does not appear, the request should not be approved without further clarification from CERN and the user.
  • If a membership record is present, click the user's name and obtain the user's CERN user account name from the Accounts field of the record.
  1. Back in the VOMS Admin interface, click Approve for the membership request.
  2. Browse and search for the user's new membership record and click More Info.
  3. In the new membership record under Generic Attributes, ensure Attribute Name is set to nickname, paste the user's CERN account user name into the Attribute Value field, and click Set Attribute.
  4. Confirm that the nickname field has been set.

Approving US ATLAS VO group Membership Requests

The procedure for admission to the `usatlas` VO group is largely the same as the VO membership procedure above, with the addition of checking the user's current institutional affiliation in the CERN Greybook or the ATLAS GLANCE database:

  • If the user's institution is in the United States, the request should be approved.
  • If the user's institution is not in the United States, contact the user to determine whether a unique situation or understanding permits or requires access to US ATLAS resources. If not, the request should be rejected, with the explanation that the `usatlas` VO group is exclusive to US ATLAS collaborators.

Note that the VO group `usatlas3` is not used anywhere in ATLAS, and that requests for this group can be denied, with the explanation that the user likely wants membership in the `usatlas` VO group instead.

Merging VO Membership Requests

If a membership record already exists for a user, the new request should be merged with the existing membership record.

  1. Copy the newly requested certificate distinguished name (DN) and note the issuing certification authority (CA) name from the new membership request in the VOMS Admin interface.
  2. In the top navigation bar under Browse, click Users.
  3. Under Users, paste (or type) the requestor's email address or family name and click Search Users.
  4. Identify the existing record associated with the user and click More Info.
  5. On the user's record page under Certificates, click Add a New Certificate.
  6. Paste the requested new DN into the Certificate Subject (DN) field.
  7. Choose the associated issuing CA name in the CA pull-down and click Add Certificate.
  8. On the VOMS Admin home page under Pending Administrative Requests, find the new request for the user's DN that was just merged and click Reject. When prompted, enter a reason for the rejection (e.g., User already has a VO membership. Requested certificate has been added to existing membership.).

Merging VO Memberships

When duplicate VO memberships exist for the same user, the membership records need to be merged, which refers to the manual process of replicating membership data and deleting one or more duplicate records, leaving one active and complete record intact. This is accomplished by:

  1. Opening the duplicate records in separate browser windows (one window per membership record).
  2. Duplicating the user's contact information and membership groups and roles from duplicate record(s) to the record that will be maintained.
  3. Copying the DNs (and CAs, if necessary) of any certificates existing in duplicate records. Note: these must be copied outside of VOMS Admin as the service does not permit a single DN to be registered to multiple membership records at one time.
  4. Ensuring that all information in the active membership record accurately and completely reflects that of the record(s) to be deleted (excepting certificates to be added later).
  5. Deleting the duplicate records by clicking Delete this User.
  6. Adding the certificates from the deleted duplicate record(s) to the remaining record.

Managing Expired VO Memberships

ATLAS has implemented a purge of ATLAS VO memberships one month after their expiration, which may confuse users who once had a VO membership, let it expire, and can no longer find a record of their membership. You can search the VOMS Audit Log for a record of this deletion, but without knowing exactly when the user's membership lapsed, you may need to search the Audit Log for a month or even longer back in the past to find the deletion record and date.

Once the VO membership has been deleted, the user will need to re-apply for membership as a new member, following the Register for the ATLAS VO section of the Joining the ATLAS VO page.

Notable Feature

As of this writing, the VOMS Admin service hosted at CERN can become sluggish or time out when performing multiple administrative tasks. If an action results in an error message referring to a "bad" or "missing" token, the action request has timed out and needs to be repeated. In the case of approving VO membership and group requests, this often means refreshing the main "admin.home" page again and clicking the Reject or Approve button quickly before the session times out again.