Group manager is a person or group of people allowed to manipulate with group data. Group manager is responsible for the following tasks:
All VO members can be inserted into groups. Every group gets access rights to resources in its VO. Groups can be nested like a tree and the access rights are inherited in the same way. A number of groups and subgroups is not limited. VO member can get rights to administer the group. The group name must be unique in the VO. Groups can be managed via CLI or GUI.
Please do not forget that particular VO must be selected before manipulation with the group. Group administration via GUI is done by clicking on Groups in the left menu. The list of groups included in VO will appear. Button Create creates a new group, button Remove removes selected groups (but only if you are also VO manager).
By clicking the group name in the list of groups, detailed information about the group and list of parent group appears. Subgroups will be shown by clicking Subgroups button, the subgroup will be created by Create and removed by Remove .
Creating a group manager from VO member
Members of VO can get the right to manage the group in VO and become group manager. A group manager can add or remove group members, create subgroups and assign them as managers. The manager doesn't have to be a member of VO. A number of managers is not limited.
Administration of managers can be also done by clicking button Managers in the left menu in GUI. The new manager will be added by Add button and removed by Remove button.
Adding VO members into the group
Both, VO manager and Group manager can add new members in a group. A member who wants to be added in the group must be also a member of VO containing the group. One member VO can be a member of more than one group; therefore has access to all resources available in all groups.
Because of a hierarchy of groups in the system, the user must be a member of the parental group before he will be added in the subgroup. Oppositely, Group manager must be a member of parental VO, but he might be a member of the group.
Step by step tutorials
Managing an application form
- Tutorial to create basic application form in VO/group
- Tutorial to approve application form in VO/group
Creating rules to account extensions
If it is necessary to set attribute membershipExpirationRules for the group, the attribute can be added in Settings in the group. Its items can be:
doNotAllowLoa - list of LoAs separated by a comma, which won't be allowed in the group (users can't become members).
period - the time period to extend membership. It can be set as a fixed date (without year), e.g. 1. 2. or as a number of days/months/years with prefix "+"
that defines the time period that extends membership. Units are d = day, m = month, y = year, e.g. +128d extends account to 128 days. +6m, +1y.
doNotExtendLoa - list of LoAs separated by a comma, that are not extensible.
gracePeriod - when a present date of initial application or extending request equal extension date minus gracePeriod then user account is extended to the next time period
(period date in next year). Value is in format number of days/months/years. Units are d = day, m = month, y = year, e.g. 128d, 6m, 1y
periodLoa - an exception in period for given LoA. Format of value is: LoA|period[.]. LoA is given Loa number and period is in the same format as a period.
The optional dot at the end means whether extend an account to the user with filled membershipExpiration or not. If a dot is present, the user with filled membershipExpiration is not allowed to extend an account.