Perun vocabulary

Perun system

Is it access and management system for services.

Perun ecosystem

It includes the Perun system itself, as well as other components and services needed for the access management system (For example: LDAP, Proxy...).


He represents a physical person in Perun.

Virtual Organization (VO)

A Virtual Organization associates a group or groups of users who want to be self-managed by their administrator or need to apply certain specifics in their administration. For example, VO may have different requirements to verify user identity or may have specific access to certain resources, etc. Specifics are defined in the policy given by the VO.

VO manager

VO manager is a person or group of people allowed to manipulate with VO data. First manager of particular VO must be created by Perun admin. VO manager can utilize both CLI interface and web GUI to operate system entities.

Member of VO

One user can be a member of several VOs. If we want to work with the user into a specific VO,
we are working with a VO member.

Service member

The service member is an account that is not based on a physical person's identity but created in the system and one or more users can be assigned to operate with it. Except for this functionality, it works as a normal user with all his rights.

Every service member account has evidence:

  • it is for service purposes
  • who are allowed to manipulate with it (change password, change an email)

For example
Regular backups of a system must be done, but it is unsafe to store backups into personal accounts. Moreover, there are more people responsible for backups would be spread into several personal accounts. Service member solves this task because all backups are stored in his storage space and all responsible people have access to it.

For example
If an application (Hudson in our case) needs access to the system via username and password, then is unsafe to provide somebody's personal account, so service member account is advisable to provide.

Tutorial to create a service member.

Application form

Application form serves as a gate to the particular VO or group. It is form created by the administrator of VO or group for users. After the application form is filled and approved, the user becomes a member of particular VO/group. The approval process can be automatic or manual (approved by the manager). The new user must be verified by IdP or the information system of the organization.


Group users within a single VO. Group members are a subset of members of a VO. Groups are used to control access. The Group is granted access to resources.

Authoritative groups

An example of such an authoritative group is the members group, which is the group automatically created when a Virtual Organization is created. A common group in the VO can also be set as an authoritative group. Membership in such a group corresponds to membership in the VO, so if the user in this group is disabled, he is disabled in the VO itself.

Group manager

A group manager is a person or group of people allowed to manipulate with group data. The first manager of particular VO must create the group and give "group manager" rights to a particular person. A group manager can utilize both the CLI interface and web GUI to operate system entities.

Member of group

One user can be a member of several groups. If we want to work with the user into a specific group,
we are working with a group member.


The facility is an entity (pc, software, storage) existing in a real world, for which access needs to be managed by Perun. To provide access to a facility, a resource must be created, that provides the facility to a Virtual Organization.

Following conditions facility meets:

  • They are using the same technology and share configuration (e.g. they are NFSv4 volumes, they need an account in the local machines.. etc., Perun pushes its data coherently).
  • They have single management (one manager responsible for all pieces can be identified - e.g. data storage elements owned by CESNET).

On the other side, "service provided to user", e.g. NFSv4 volumes export from one physical storage to the other should be considered as one facility, not more. Attributes are connected with facilities.


The owner of the Facility can offer to the VO his Facility to use. This is done in Perun by creating a Resource specifying how the VO can use the Facility. In other words, we can see the Resource as the link between Facility and VO.

Resource tags

To resouces can be assigned tags which marked special properties of resources. (For example, tag computational node means, this resource is used for users to compute their tasks, tag service machine marked resource as machine for internal operations at VO etc..)

(Perun) Service

It can be said that the Perun service is an entity in Perun that allows it to be configured with a corresponding service or system from the real world. When changing the relevant data in Perun, the Service will be propagated. This means that the essential settings and constraints from Perun are transferred to the real world entity that you need to configure. This can be, for example, transferring configuration files to a particular machine or sending a list of users to an administrator email. This will ensure that what is set in Perun is projected into the real world.


Represents a relation between service and the target address for propagation.


It's a part of the file structure where quotas are set.


Entities in Perun (e.g. facility, resource, service) and relations (member-resource, user-facility) can contain more information in a form of attributes. Attributes serve as support information to the services.

Facility manager defines a list of available shells in the cluster as an attribute. VO manager can select a shell from this list for his members. This list is saved as an attribute at resource. Every single member can have a preferred shell that is saved as an attribute in the relation user-facility.

Attributes can store anything that it is necessary to propagate to the device. Also, it could be set by the user. Attributes have type string, int, array of string.


Hosts serve as evidence where the facility is placed. It is only an evidence, as a destination of services is taken information from Destinations.


Many services create configuration files and propagate them to some goal. This goal can be device, some special device, email address or URL where is an output of service.

External sources

(External identity resources - Ext_sources)
External identity resource is assigned to each user. This resource can be identity providers, some LDAPs, SQL database of organizations, outputs of information systems ... etc. and primary user identity is taken from it.
External identity resources serve as a proof that user is a part of the real organization and therefore can access to the resources and services.
External resources can serve as a condition to become a member of a Virtual Organization or a group in the VO. Information from the external resource can be used to automatic export of user into VO.
LoA (level of assurance) is a term connected with external resources, specially federations'. Loa should be same for all external identity providers, see Level of assurance:

Level of assurance (LoA)
Level 1
The e-mail address is verified.
Level 2
Identity and institution are verified.
Level 3
Level 1+ strict requirements to password quality and its use.

Facility owner

This is a mail contact to the responsible person for the machine (Facility).
Facility owner can be administrative or technical.
Administrative owner is usually contact to the company owning the machine.
Technical owner is a contact person who is able to solve a problem with machine if necessary.