...
LSST can enforce data access rights through group membership. Furthermore, LSST intends to enforce User-Generated data access rights through group membership. Since we intend on using LSST groups membership to determine data access rights and access to other LSST resources and services, a group naming convention must be established. Groups must adhere to the following format:
lsst_<data-level>_[<identifier>|<UG>_<identifier>]
...
<data-level> → this optional prefix maps to the information classification policy as defined in LPM-122. This identifier cannot be an arbitrary string and must use one of the designated names as set forth in LPM-122. If this prefix is absent then “shareable” is assumed unless a convention supersedes this, see examples below.
<data-release> → this optional prefix is used to narrow data access rights by specific Data Release. This prefix cannot be specified if <data-level> is not specified. If this prefix is not specified then it is assumed the members of the group have access to all data as specified in the <data-level> prefix, regardless of which Data Release is being accessed. <data-release> must be in the format of “DR#”, where “#” is a positive integer.
<identifier> → this optional prefix is an arbitrary field that can be used to designate the context in which the group grants resource access or data access rights. Also, it can be used to designate a group in which membership is denied access to a specific service, resource or Data Release. For example: “comcluster” might be used to designate those with access to the commissioning cluster where “notebookBL” might be used to designate those denied access to the notebook Aspect in the science platform. In terms of LSST’s security policy this prefix shouldn’t be used if a general case is sufficient for access.
...
Old Group Name | Proposed New Name | Description |
lsst_alertprod | lsst_int_dm_ap | LSST Alert Production team within DM (University of Washington) |
lsst_aws_admin | lsst_int_aws_proj | Group for access to the AWS portal for LSST project usage. |
lsst_aws_users | lsst_int_aws | LSST users of Illinois AWS services through NCSA IDP |
lsst_cam_ccs_adm | lsst_adm_cam_ccs | LSST Camera Control Systems admins |
lsst_daqadm | lsst_adm_cam_daq | LSST administrative developers for the DAQ Teststand |
lsst_daq | lsst_int_cam_daq | Users of LSST DAQ system |
lsst_data | lsst_int_dm_data | LSST Data Access and Database team within DM (SLAC) |
lsst_datarelease | lsst_int_dm_release | LSST Data Release Production team within DM (Princeton) |
lsst_disabled | lsst_disabled | LSST Disabled Users When users need to be disabled quickly, they can be added to this group. This can be used for security issues and/or for users no longer part of the project. |
lsst_epo | lsst_int_epo | LSST Education & Public Outreach team (external to DM) |
lsst_hwadmin | lsst_adm_vendor | LSST hardware administrators, e.g. support vendors |
lsst_imsim | lsst_int_dm_imsim | Legacy LSST Image Simulation Group |
lsst_infrastruct | lsst_int_dm_infr | LSST Infrastructure (NCSA) team within DM |
| lsst_int_bastion | lsst_int_bastion | Users who have access to lsst-bastion* server(s) |
lsst_int_dbb_ats | lsst_int_dbb_ats | ATS (Auxiliary Telescope System / Spectrograph) users of the data backbone service. |
| lsst_int_kubernetes | lsst_int_kubernetes | Users who have access to log into Kubernetes |
lsst_jupyter | lsst_int_jupyter | Initial group of test users for Jupyter Hub |
lsst_leads | lsst_int_leads | Leaders of LSST |
lsst_nebula | lsst_int_nebula | Users of the general LSST project in Nebula OpenStack |
lsst_network | lsst_int_network | LSST International Communications (aka Long Haul Networks) and Base Site (NOAO) |
lsst_ora_dba | lsst_int_ora_dba | Group for DBA and system admins of the LSST database enclave. for lsst-dev-ora* |
lsst_processing | lsst_int_process | LSST Processing Control team within DM (NCSA) |
lsst_security | lsst_int_ncsa_secursecurity | LSST Security (NCSA) |
lsst_sqre | lsst_int_sqre | LSST SQuaRE - Science Quality and Reliability Engineering team within DM (LSST/AURA) |
lsst_sui | lsst_int_sui | LSST Science User Interface and Tools team within DM (IPAC) |
lsst_sysadm | lsst_adm_ncsa | LSST System Administration at NCSA rename from grp_lsst_admin |
| lsst_storage | lsst_int_ncsa_set | NCSA Storage team assigned to LSST |
| lsst_int_ncsa_irst | lsst_int_ncsa_irst | NCSA Incident Response and Security team assigned to LSST |
| lsst_networking | lsst_int_ncsa_nerd | NCSA Networking team assigned to LSST |
| lsst_sysadmin | lsst_int_ncsa_sysadmin | NCSA Systems Administration team assigned to LSST |
| lsst_its | lsst_int_ncsa_its | NCSA IT Services team assigned to LSST |
| lsst_int_ncsa_idds | lsst_int_ncsa_idds | NCSA Integrated Data and Database Services team assigned to LSST |
lsst_tel_ocs_adm | lsst_adm_tel_ocs | LSST Observational Control System administrators |
lsst_tel_tcs_adm | lsst_adm_tel_tcs | LSST Telescope Control System administrators |
lsst_telescope | lsst_int_tele | LSST Telescope and Site team (external to DM) |
| lsst_users | lsst_staff | Active LSST ‘staff’ (pruned from historical lsst_users) |
n/a | all_lsst | All LSST users (active and historical) - generated dynamically from join of all other 'lsst_*' groupsActive LSST users |
lsst_vsphere_mac | delete | Users of the LSST vSphere Mac VM environment |
...