...
- If a user registered via INFN-AAI, the proposed user name is something like user@infn.it. If the username is somehow weird (e.g. 71771ba4-5781-4cda-beff-040f0edb0288@infn.it) this is because the user has not (yet) a username in GODIVA (because he didn't ask yet an account on a INFN site).
- You can check if a user registered via the Unipd Idp (Unipd SSO) if the proposed user name is something like user@unipd.it or user@studenti.unipd.it.
TBC
Is this a spam ? Or could the user register using an IdP ?
If the user didn't try the registration using an IdP. In this case , you should try to figure out if the user really can't register through a supported IDP.
...
.
...
Other hints:
- You can use this link to see if a user willing to register is known to INFN Padova (and also to know the expiration of his contract)
In general you might need to interact with the user (via e-mail) to understand why she didn't/she couldn't register using an IdP (and also to understand if the request is "valid" and is not a spam)
Reject request [4]
Select the relevant request and click on Action → Reject.
In the message field you might need to motivate the decision (e.g. if the request is coming from a user that could use an IdP, asks him/her to re-register, but using INFN-AAI / Unipd SSO)
If the request is rejected because this is a request for an INFN project and the user is not compliant with the INFN policies, please tell the user to follow the procedure described at: http://userguide.cloudveneto.it/en/latest/Registration.html#prerequisites-for-using-infn-resources
Please also discuss with the user, via e-mail, about the problem
Is this request for a project using INFN resources ? [5]
A project used INFN resources if:
- it is an INFN project and/or
- it uses a 10.64.x.0/24 network
To check if this is a INFN project, log as admin in the Dashboard and click on Admin → Identity panel → Projects.
The project is a INFN project if it has the "O=infn.it" tag
Is the user compliant with
...
INFN
...
IT rules ?
To be compliant with the INFN policies the user must be registered in INFN-AAI and:
- he/she must have a verified digital identity (LoA2)
- he/she must declare to have read and accepted the INFN rules for the use of IT resources
- he/she must have followed the "Corso di Sicurezza Informatica - BASE"
To check if a user is complaint with these rules you can use the script /usr/local/bin/check_compliance_to_infn_rules.sh on cld-ctrl-01.
The script check the common name and, if not found, the email address. You can use a regular expression in the query.
Some examples that show how to use this script:
...
If the account can be created, but but the script reports " ricordare all'utente che deve fare il corso entro 30 giorni dalla data di registrazione (altrimenti l'account sara' sospeso)" the . once you create the account write an e-mail to the user The text of the e-mail can be something like:
We received your request for registration for CloudVeneto infrastructure .
Your request was approved but since you requested the access to INFN resources, please note what is reported at:
https://userguide.cloudveneto.it/en/latest/Registration.html#prerequisites-for-using-infn-resources
In particular we noticed that you didn't follow the IT the INFN IT Security course. This must be done within 30 days after the registration.
To follow the course, please go to:
https://elearning.infn.it/course/view.php?id=105
Regards
The CloudVeneto support team
If the user is not compliant with the INFN IT rules, reject the request. Tell the user to reapply the registration process once he/she is compliant
This is the affiliation request for
If this the affiliation request for a project using INFN resources, you are told in the dashboard form that the "compliance" is required
xxx
Reject request [4]
Select the relevant request and click on Action → Reject.
In the message field you might need to motivate the decision (e.g. if the request is coming from a user that could use an IdP, asks him/her to re-register, but using INFN-AAI / Unipd SSO)
If the request is rejected because this is a request for an INFN project and the user is not compliant with the INFN policies, please tell the user to follow the procedure described at: http://userguide.cloudveneto.it/en/latest/Registration.html#prerequisites-for-using-infn-resources
Please also discuss with the user, via e-mail, about the problem
Is this request for a project using INFN resources ? [5]
A project used INFN resources if:
- it is an INFN project and/or
- it uses a 10.64.x.0/24 network
To check if this is a INFN project, log as admin in the Dashboard and click on Admin → Identity panel → Projects.
The project is a INFN project if it has the "O=infn.it" tag
Is the user compliant with the INFN policies ? [6]
Pre-check [7]
Select the relevant request and click on Action → Pre check.
...