Versions Compared

Old Version 12

changes.mady.by.user Unknown User (awithers)

Saved on

compared with

New Version 13

changes.mady.by.user Unknown User (awithers)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Jira
serverJIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId9da94fb6-5771-303d-a785-1b6c5ab0f2d2
keyITRFC-12


(note that Note: this document has been updated for clarification and to ensure consistency with LPM-261.  For example, previous instances required a "data release" tag in the group naming policy has not changed)name which has since been removed since LPM-261 confers and revokes data rights as all or nothing and does not assign data rights at a granular level.

User Groups

LSST can enforce data access rights through group membership.  Furthermore, LSST intends to enforce User-Generated data access rights through group membership.  Since we intend on using LSST groups membership to determine data access rights and access to other LSST resources and services, a group naming convention must be established.

lsst_<data-level>

...

_[<identifier>|<UG>_<identifier>]


<data-level> →  this optional prefix maps to the information classification policy as defined in LPM-122.  This identifier cannot be an arbitrary string and must use one of the designated names as set forth in LPM-122.  If this prefix is absent then “shareable” is assumed unless a convention supersedes this, see examples below.

...

  • Sensitive - Limited access only. Access should not be granted to broad groups of people.
  • Highly Sensitive - Information associated with regulatory or contractual burdens that require specific compliance planning or controls.

Examples

Users can have a group automatically created upon account creation.  This group serves as a namespace over which they have control.  For example, the user jbasney, would have the group lsst_jbasney.  The user jbasney could then create and manage (i.e. determine membership of) a group called lsst_jbasney_galaxyXYZ.  This group could then be used to control access to user generated data products.  Note that technically the <data-level> is implying "shareable" as the information classification but if this group is being used to control access to user generated data products then the <data-level> is "protected user".

Access groups can be created, for example lsst_portal, that a typical LSST user would be added to during account creation and the data rights access workflow.

During account creation, users must go through an automated (or potentially manual) process to determine their data access rights. This process will automatically add users to preexisting groups that grant them access to L2 released data productsnon-public LSST data.  For example, the user jbasney has been determined to be a US Astronomer and thus is granted access to lsst_protu_dr5 where dr5 is the latest data release at the time of account creation.  Subsequent data release will necessitate creation of new groups like this and automatic membership inclusion of LSST user accounts in good standing.

Staff Groups

For internal LSST staff, default groups hall be created with the prefix of:

...