New requests for VO membership should be verified for existing CERN accounts, and prevented from creating duplicate memberships, before approval.
This procedure is intended only for VO administrators. It may be useful to open multiple browser windows for each of the necessary sites (VOMS Admin, CERN Accounts, etc.).
Approving VO membership requests
- Browse to the VOMS Admin interface.
- Check under VO membership requests for outstanding requests.
- Verify that a requesting user does not have an existing membership:
- Copy (or memorize) the requestor's email address or family name.
- In the top navigation bar, under Browse, click Users.
- Under Users, paste (or type) the requestor's email address or family name, and click Search Users.
- If a membership exists, the new request should be merged with their existing membership record.
- If a membership does not exist:
- Click the [Display another user] link on the CERN Accounts Management page (requires login to CERN via NICE SSO account) and search for the user's email address or family name.
If the user has multiple accounts, obtain the user name from their ATLAS account, or the 'zp' user group.
- If a membership record does not appear, the request should not be approved without further clarification from CERN and the user.
- If a membership record is present, click the user's name, and obtain the user's CERN user account name from the Accounts field of the record.
- Back in the VOMS Admin interface, click approve for the membership request.
- Browse and search for the user's new membership record, and click more info.
- In the new membership record, under Generic Attributes, ensure Attribute name is set to nickname, paste the user's CERN account user name into the Attribute value field, and click Set attribute.
- Confirm that the nickname field has been set.
Merging VO membership requests
If a membership record already exists for a user, the new request should be merged with their existing membership record.
- Copy the newly requested certificate DN from the new membership request in the VOMS Admin interface. Also note the issuing CA name.
- In the top navigation bar, under Browse, click Users.
- Under Users, paste (or type) the requestor's email address or family name, and click Search Users.
- Identify the existing record associated with the user, and click more info.
- On the user's record page, under Certificates, click Add a new certificate.
- Paste the requested new DN into the Certificate subject (DN) field.
- Choose the associated, issuing CA name in the CA pull-down. and click Add certificate.
- On the VOMS Admin home page, under Pending administrative requests, find the new request for the user's DN that you've just merged, and click reject. When prompted, enter a reason for the rejection (e.g., "User already has a VO membership. Requested certificate has been added to existing membership.").
Merging VO memberships
When duplicate VO memberships exist for the same user, the membership records need to be "merged", which refers to the manual process of replicating membership data and deleting one or more duplicate records, leaving one active and complete record intact. This is accomplished by:
- Opening the duplicate records in separate browser windows (one window per membership record)
- Duplicating the user's contact information, and membership groups and roles, from duplicate record(s) to the record that will be kept
- Copying the DNs (and CAs, if necessary) of any certificates existing in duplicate records (these must be copied outside of VOMS Admin, as the service does not permit a single DN to be registered to multiple membership records at one time)
- Ensuring that all information in the membership record to be kept accurately and completely reflects that of the record(s) to be deleted (excepting certificates to be added later)
- Deleting the duplicate records by clicking Delete this user
- Adding the certificates from the deleted duplicate record(s) to the remaining record.
Notes
As of this writing, the VOMS Admin service hosted at CERN can become sluggish or time out when performing many administrative tasks. If an action results in an error message referring to a bad or missing token, the action request has timed out and needs to be performed again. In the case of approving VO membership and group requests, this often means refreshing the main 'admin.home' page again, and clicking the Reject or Approve button again quickly before the session times out again.