Versions Compared

Old Version 7

changes.mady.by.user Unknown User (awithers)

Saved on

compared with

New Version 8

changes.mady.by.user Unknown User (awithers)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note: the above scheme allows for a group name of "lsst".  This is an alias of "lsst_users".  Also, if optional prefixes are not present then the underscores are not needed.

Data Levels

LSST's information classification policy, LPM-122, defines the following information categories that are used to designate the "data-level". These categories are listed in order of increasing sensitivity.

  • Shareable - Information that is not confidential and can be made public without any adverse implications.  data-level tag name: share
  • Internal - Access to and use of this information is broadly accessible to project staff and others authorized by project management. data-level tag name: internal
  • Protected User - Scientific data and operational metadata reserved for authorized data consumers. data-level tag name: protu

    The following information categories must not have groups created at their respective "data-level" without prior LSST project and ISO approval:
  • Sensitive - Limited access only. Access should not be granted to broad groups of people.
  • Highly Sensitive - Information associated with regulatory or contractual burdens that require specific compliance planning or controls.

Examples

Users can have a group automatically created upon account creation.  This group serves as a namespace over which they have control.  For example, the user jbasney, would have the group lsst_jbasney.  The user jbasney could then create and manage (i.e. determine membership of) a group called lsst_jbasney_galaxyXYZ.  This group could then be used to control access to user generated data products.  Note that technically the <data-level> is implying "shareable" as the information classification but if this group is being used to control access to user generated data products then the <data-level> is "protected user".

Access groups can be created, for example lsst_portal, that a typical LSST user would be added to during account creation and the data rights access workflow.

During account creation, users must go through an automated (or potentially manual) process to determine their data access rights. This process will automatically add users to preexisting groups that grant them access to L2 released data products.  For example, the user jbasney has been determined to be a US Astronomer and thus is granted access to lsst_protu_dr5 where dr5 is the latest data release at the time of account creation.  Subsequent data release will necessitate creation of new groups like this and automatic membership inclusion of LSST user accounts in good standing.

Staff Groups

For internal LSST staff, default groups hall be created with the prefix of:

...