WLCG AuthZ Call


Proposed agenda: 

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Participants: Andrea, Andrii, Dave D, Dave K, Federica, Irwin, Jeff, Jeny, Jim, Julie, Linda, Maarten, Marcelo, Mischa, Petr, Tom


  • Subgroups within a VO
    • the "fermilab" VO comprises a number of independent projects
      • those projects need to be distinguished e.g. for accounting
      • and some sites only want to support a few, not all of them
    • IAM supports such use cases via optional groups
    • a single issuer can thus support multiple projects
      • a client just has to ask for the desired group(s)
      • they are returned in their own claim, irrespective of any capabilities
      • groups and capabilities have to be requested separately
      • on the roadmap for CILogon
    • there are such multi-tenant instances at STFC and for the INFN cloud
    • the STFC instance has multiple groups with different managers for different projects
      • 1 issuer handles them all
    • the INFN cloud instance has 2 hierarchies of groups
      • one for infrastructure management
      • one for collaborations
    • there may be some rough edges still
      • e.g. automatic, optional group membership expiration is on the to-do list


  • VOMS-Admin API use cases
    • the SCIM API will need to be used at least for extended queries
      • e.g. groups, certificates, suspensions
      • clients must be registered because such information is sensitive
      • explicit registrations are good, provided their numbers are sustainable
        • OK for central VO services like Rucio
        • 1 per site (if needed for some use case) would also be tolerable
      • the client registration request workflow could be enhanced if needed
    • the ESCAPE project found their Rucio not being updated with new users
      • their IAM client was not prepared for pagination of the returned list of users
    • ATLAS AMI service experts ran into the CERN HR ID not being exposed yet
      • will be added soon
    • meetings will be organized with GGUS and Operations Portal devs at some point
    • so far there does not seem to be a clear requirement for a "mkgridmap" service
      • to be assessed further in the coming months


  • Token renewal workflows
    • a requirements document would be desirable
    • we then can see which tools can cover which use cases
    • examples include SAM ETF and VOboxes
    • these matters are expected to be discussed during the hackathon next week



  • Maarten to update the token transition document, resolving comments etc.


There are minutes attached to this event. Show them.
The agenda of this meeting is empty