DM-4442 - Getting issue details... STATUS

This page proposes a draft process for granting of data access rights to LSST users according to the Data Access White Paper and recent discussions: Data Access Rights and Data Access Rights and Policies and Notes on Assigning Data Rights for US Astronomers.

LSST Data Access Policy Working Group has been formed and a document drafted, LPM-261.

The goals for the process are:

  • Minimize manual steps for LSST users and staff (e.g., grant data access rights automatically based on campus attributes when possible).
  • (Something about balance between false positives and false negatives?)
  • ...

People who have data rights:

  • national "professional astronomical community" (US, Chile) (possibly France?)
    • when US community members submit a proposal to the Observatory Resource Allocation Committee for Level Elevation (ORACLE), do all proposal participants need to already have data rights or can the proposal process grant data rights?
  • named individuals from international partners
  • a limited number of designated additional individuals (post-docs, grad students) per named individual

Granting data rights based on campus attributes:

Granting data rights based on LSST review:

  • For example, if user's home campus doesn't have an InCommon (Shibboleth) identity provider
  • User clicks "apply for data access rights" button
  • LSST review:
    • automated based on (verified) email address?
      • .edu TLD is "U.S.-accredited educational institutions" with some grandfathered exceptions
      • .cl TLD open to anyone
    • check campus directory info

Granting data rights based on named individuals:

  • matching email addresses
    • email attribute from campus identity provider or verified by LSST sign-up process
  • email-based invitation process
    • invite "named individuals" to create LSST account if they haven't already or add data rights to existing account

Granting data rights to designated additional individuals:

  • anyone with data rights can add others? or only "named individuals"?
  • email-based invitation process
  • "people picker" - find individuals to grant data rights to
  • limited number: who will control this policy

Maintaining data rights:

  • Periodic (annual) re-validation of "designated additional individuals"
  • de-provisioning of data rights?
    • "Once a scientist has data access, they don't lose it even if they change institutional affiliations."
    • faculty change of institution: leaving USA
    • what happens when student graduates?
  • No labels


  1. In the context of this page, I think we should regard "granting data rights" as referring only to the fundamental notion of granting access to the Level 1 and Level 2 data products, and it's this authority that's limited to "named individuals".

    I assume that any person with "fundamental LSST data rights" in this sense can then grant access to anyone else with "fundamental LSST data rights" to Level 3 data products over which that person has "administrative control".

    1. A provocative question: should the system be able to recognize the existence of, and authenticate, individuals who do not have "fundamental LSST data rights"?  Are there circumstances in which users who do have such rights could grant access to Level 3 data products to people who do not have the underlying data rights?  Grant access to the world?

      Example: scientist with full LSST data rights performs a search for variable stars of an unusual type in the LSST data and publishes a paper describing 1000 such objects and their statistics.  As a electronic appendix to the paper, the author publishes a database of information about each of those objects – some of it directly from the Level 2 object catalog (e.g., ra and dec) and some derived from her own subsequent analysis -- enabling followup measurements by others.  I think we would all agree that that would be a fairly normal thing to do in scientific publication.  Could this scientist then create that table of data as a Level 3 data product and grant world access?

      What if she has collaborators without LSST data rights but with access to valuable spectroscopic followup resources?  Surely she can email those collaborators a list of coordinates at which to observe.  Can she grant these collaborators access to her Level 3 table, even before publication?

      The main questions here are policy questions, not authentication-system questions, but if we think that any of these scenarios may be acceptable, I think we have to consider the possibility of having users known to the system and able to log in but without access to the Level 1 and Level 2 data (i.e., without "fundamental LSST data rights").  If we do allow this, most likely such users would also be treated differently with regard to consumable resources such as storage and CPU time - probably not having any, and thus really only read-only query access to a limited set of Level 3 data.

    2. Another similar case: we distribute alerts (as VOEvents, essentially) to the world.  Is the database of all alerts that have been issued available to the world?  Or is that a value-added benefit of LSST data rights? If the former, then again there is a need to recognize users without data rights.  (Since all data access is required to be authenticated.)  In this case I suspect the policy may turn out to be that there is no world access to the alert database - if a non-LSST-data-rights individual or institution wants to, they can subscribe to all alerts and create and make available their own such database.  This, if for no other reason, because the alerts database will be large and queries against it could take up substantial project resources.