User life cycle

First steps

If a user wants to become a member of the Perun system, he/she must be invited to one of the Virtual Organizations (VO) using an application. The user fill-in the application, sends it and waits for the next information. The VO manager evaluates whether the application is filled correctly and the user meets the conditions for membership in his VO. The VO manager may accept or reject the application. If the application is rejected, the user gets a notification about the condition. If the application is approved, the user is subsequently notified that he has become a member of the VO and can use their resources (for example access to the service).

Life cycle in VO

As soon as the user is registered in VO, his life cycle begins. Also included in this cycle are membership statuses in the VO. The manager can switch states manually. Some states can be set to switch between them automatically according to the set manager.

How do I get into the INVALID state?
Once the application is approved, the member status is INVALID. This is the initial state that every new VO member will go through.

Status feature
In this state, the user only stands for a short time before the attributes are checked. In the case of incorrectly set attributes, the status remains invalid (this is a unique situation). If the user's initial status "invalid" remains, the attributes must be checked. Once the attributes have been set correctly, the user can be switched to the "valid" state​, which must be done manually by the manager. An example of such an attribute may be a login for a particular namespace that the service may require. If the user doesn't own this attribute, he/she must create it.

How do I get into the VALID state?
After the user goes through the INVALID status, its attributes are checked. If the attributes are correct, the user comes into the VALID (active) state automatically.


Status feature
In this state, the user is an active VO member and can access the services.

How do I get into the EXPIRED state?
If the VO has set membership expiration for a limited time, it is necessary to request a renewal of the membership subscription periodically once in a while. Otherwise, the user is automatically switched to EXPIRED (inactive) state after a date of expiration.

Status feature
In such a state, the user can use only some selected services, but his attributes are constantly controlled.

How do I get into the DISABLED state?
Not every expired user has to be interested after some time to renew membership. Such users can enter a terminal state called DISABLED automatically or manually.

Status feature
The user still exists in the VO, and he/she can't access any VO related services. Attributes are no longer checked. The user in this state may request a renewal of the membership through the application, and the user will switch to a valid status upon approval of his application by VO manager. If the user is synchronized from an external source, then the user's status may be switched to a valid state, after this user's synchronization resumes. The last part of the life cycle is the deletion of all user data in the VO context. The user and his data don't exist in VO anymore.

Information status
In connection with these conditions, there is a SUSPENDED (BAN) information status that tells about the user that a security incident has occurred and it is up to the service itself to block this user or not.

Example of the life cycle in VO

The process of a user's life in VO can look something like this:

The user must first apply for membership in the VO.
If his membership application is approved, the user receives the initial status INVALID.

1) The user submits an application to the VO, after it has been approved, comes to the VO as a member. His initial state in VO is the INVALID state.
2) After the attributes are set correctly and checked, the user's status changes to VALID.
3) In this state, he/she is an active VO member and has access to services.
4) In the event that the VO is set to the expiration date and the user doesn't extend the membership, the user's status switches to EXPIRED after the expiry date.
5) In this state, the user's data is still being sent to the service, but the service administrator must decide if he/she wants to give access to the user into his service in that state.
6) However, an expired user may apply for an extension of membership and become valid for access to service.
7) If the user isn't interested in renewing membership, he/she may be manually or automatically (after some time) switched to DISABLED. This is the terminal status of the user within the VO membership.
8) In this state, the system behaves to the user as if he/she wasn't in the VO. If the user re-submits the application to VO, VALID status is restored.
9) In this state, all user data regarding his membership in the VO is removed.
10) However, if he/she would be interested in becoming a member again, he/she must apply for membership again, and his life cycle in the VO will start again from the INVALID state.

Life cycle in groups and subgroups

Existence only in the VO is insufficient for the quality management of users and their access to services. For this reason, users are sorted into groups and possibly subgroups. Groups are tied to the services that users need to use. Even in groups or subgroups, users go through different states, namely: VALID (ACTIVE), EXPIRED (INACTIVE). The manager can switch states manually or states can be set automatically according to the manager setting.

How do I get into the VALID state?
After the user goes through the INVALID status in VO where attributes are checked, he/she may get into a group. In group is the VALID state as initial. Valid membership follows upon approval by the manager of the group membership request.

Status feature
In this state, the user is a valid group member and can access the services.

How do I get into the EXPIRED state?
If the group has set membership expiration for a limited time, it is necessary to request a renewal of the membership subscription periodically once in a while. Otherwise, the user is automatically switched to EXPIRED (inactive) state after a date of expiration.

Status feature
In such a state, the user can use only some selected services (within the membership in a particular group), but his attributes are constantly controlled.

Group "members"
In each VO there is a special group called members. All VO members are automatically collected in this group. The VO membership setting is reflected in the setting in the "members" group. The expiration in VO means expiration in the "members" group and conversely. Group "members" property is similar to that of authoritative groups.

The manager can set any other group as authoritative, which means that if a user's membership in that group is in disabled state, the membership is also disabled in the VO.
This process takes place in two cases:
- Manual intervention by manager
- Automatic synchronization