User life cycle

Entering VO

There are two options for entering the VO in the Perun system.

Users can be invited to one of the  Virtual Organizations (VO) by getting an invitation for the application. The second option is an automatic synchronization from an external source (e.g. university database). As soon as the user is enrolled in some VO, he becomes a member, and his life cycle begins.

1) The user becomes a member by entering the VO. His initial state in the VO is INCOMPLETE because it is necessary to check his attributes at first.

2) If attributes are set correctly, the user's membership will automatically change to ACTIVE.

3) The ACTIVE member has access to the services.

4) The VO may have different rules based on which the user can be switched to the INACTIVE state. One of the possibilities is expiration; another option is manual deactivation, etc.

5) The INACTIVE member can be provisioned to the service, and the service itself decides on how to treat him.

6) The INACTIVE member may become ACTIVE again according to the rules of the VO. One of the options is to apply for an extension of the membership.

7) The ARCHIVED state describes the situation, when the VO wants to deny the member's access from its services (manually, automatically), but also wants to keep the information that he used to be the member before. The system behaves to the member as if he isn't in the VO at all.

8) The ACTIVE state could be restored according to the rules of the VO (e.g. by the administrator, user’s application for an extension of the membership, etc.).

9) If the member is ARCHIVED too long there could be a reason to remove him completely. This can be done (immediatelly or after a specified time) automatically, manually or not at all - this is determined by the VO settings. After such a step, his membership ends, and he has no more connections to the VO.

10) If the user wants to become a member of the VO again, he/she must start from the beginning and apply for a new membership, which has nothing to do with the old on

States of membership

INCOMPLETE

When the user starts his membership in the VO, his attributes need to be checked before sending them to the services. His first state in the VO is called INCOMPLETE. This state should only take a few seconds, and then he is set as an ACTIVE member. Just in case where the attributes are wrongly set or can't be filled automatically, the member remains in the INCOMPLETE state until the administrator's manual intervention. In this state, the member doesn't have access to any service, and he is not an active member of the VO yet.

ACTIVE

The ACTIVE state is the major and the most significant state which a member enters after all his attributes are correctly set or by the reactivation of his membership (automatically or manually by the VO administrator). The member has full access to all provided services. The VO settings specify the length of an active period.

INACTIVE

At the end of the member's active period in the VO, he is switched to the INACTIVE state. In this state, he is still part of the VO, but his rights are limited. Each service determines itself how to deal with the inactive members (e.g. disabling the account or grant read-only access). Usually, this is just a temporary state, and after some period (defined by the VO settings) the member will be set as ARCHIVED or removed unless he requests for membership renewal.

ARCHIVED

Members, who are not interested in renewing the membership, are switched to ARCHIVED status. From the services point of view the member does not exist in the VO anymore. The member still exists in the VO, can request the renewal of his membership, but his attributes are no longer checked. The last part of the life cycle can be the removal of all member´s data in the VO context. If he/she would be interested in becoming a member again, he/she must repeatedly apply for a membership, and his life cycle will start from the INCOMPLETE state. The main reason for archived status is to preserve information about the historic connection between a user and a VO and also made the process of reactivation to be easier.

SUSPENDED MEMBER

When the user's behaviour is somehow problematic, he can be marked as suspended. Such information says that some security incident has occurred and there is a potential risk of letting the user access the services. Despite that, it is up to service to block this user or not. SUSPENDED is not a life-cycle state; it is an additional flag of a member independent from life-cycle states.

 

Life cycle in groups and subgroups

Every VO has several groups where the membership is also processed. Every member of a VO has one state in a VO and another one in each VO group where he also has a membership. We distinguish only two member’s states in any group: ACTIVE and INACTIVE.

There is just one exception. Every VO has a group called ‘members’. This group is a system group, and VO can’t exist without it (can’t be renamed, moved, or removed). Member’s state is always ACTIVE in this group and can’t be changed. In other words, it does mean that the member is still part of the VO, and it is up to his VO state to define how he will be processed.

ACTIVE

At the moment the member starts a membership in any group, his initial state is ACTIVE. The ACTIVE state in the group means he should have full access to the services provided for this group unless his VO state says differently (see EFFECTIVE STATE IN THE GROUP).

INACTIVE

When is the (member´s) membership in the group coming to an end, his group state is changed to INACTIVE. This change can be done manually or by automatic (for example by expiration mechanism in the group). To be in the INACTIVE state in the group means he has limited access to any services provided for this group. These limits are up to the service itself. In this situation, he can ask for his membership renewal and become ACTIVE in the group again or stay in this state for some time (defined by the group settings) and after that be removed manually or by automatic processes. The member’s VO state will limit access to the services in the VO (see EFFECTIVE STATE IN THE GROUP).

Effective state in the group

There are two states which have an impact on a member’s access to the services via groups. First and the most important is a state in the VO and second is a state in the group. We are calling this final state as an “effective state” of a group’s membership. These are possible situations:

 

State in the VO

State in the GROUP

EFFECTIVE state

INCOMPLETE

ACTIVE|INACTIVE

INACTIVE (not provisioned to services)

ACTIVE

ACTIVE

ACTIVE (provisioned to services)

ACTIVE

INACTIVE

INACTIVE (provisioned to services)

INACTIVE

ACTIVE|INACTIVE

INACTIVE (provisioned to services)

ARCHIVED

ACTIVE|INACTIVE

INACTIVE (not provisioned to services)