[gin-auth] GIN VO Usage Rules.

[Kelsey, DP (David)]

Dear all,

I have only just joined the gin-auth list. I have been meaning to do so
for some time, but only got around to it when Oscar Koeroo told me about
this recent thread on AUPs etc.

I would like to tell you what we have been doing on this topic in EGEE,
Open Science Grid and various other related EU Grid projects, in the
hope that it may be useful to GIN. If it does not work for GIN it would
also be good to understand why, in case we can improve things.

As Stephen Pickles already said, EGEE does have VO-specific AUP's and we
do have a general Grid AUP which uses the term "Grid". But different
from what he said, we used this term deliberately not only to mean
"EGEE" but also to mean any other Grid which decides to adopt the same
policy, for example Open Science Grid in the USA. The policy was
developed jointly with them and actually built on early work they had
done to prepare a short, simple AUP. The aim was to produce a simple
common policy to promote interoperation.

The background to this work was as follows:

1. We needed to develop policies which would work for VO's using
multiple Grids. Users needed to register just once with their VO which
would then grant them access to resources on multiple Grids. We do NOT
require the users to register with the sites or the Grid
infrastructures.
2. We very quickly came to the conclusion that there was absolutely no
way we could take the existing network and site AUPs and merge them
altogether into one long document that would be a super-set of the
others. With more than 200 sites in 40 countries this is a non starter.
3. The legal experts we consulted seemed to agree that use of the Grid
(being after all just another internet application) was already covered
by all of the network and site AUPs whether we mentioned them or not, so
suggested we did not mention them explicitly.
4. We wanted a policy which was deliberately as short as possible to
stand some chance of acceptance by other Grids and in the hope the users
would read and understand.
5. We concluded that it was best to have a general Grid AUP accepted by
*ALL* Grid users during their registration with a VO and that any
VO-specific details were best expressed in a VO AUP. Sites could then
decide whether or not to offer resources to a particular VO based on
their policy, safe in the knowledge that the user has already accepted
the general AUP.

So... here is our "Grid AUP" (short enough to include verbatim)...

------------------------------------------

By registering with the Virtual Organization (the "VO") as a GRID user
you shall be deemed to accept these conditions of use:

1. You shall only use the GRID to perform work, or transmit or store
data consistent with the stated goals and policies of the VO of which
you are a member and in compliance with these conditions of use. 

2. You shall not use the GRID for any unlawful purpose and not (attempt
to) breach or circumvent any GRID administrative or security controls.
You shall respect copyright and confidentiality agreements and protect
your GRID credentials (e.g. private keys, passwords), sensitive data and
files. 

3. You shall immediately report any known or suspected security breach
or misuse of the GRID or GRID credentials to the incident reporting
locations specified by the VO and to the relevant credential issuing
authorities.

4. Use of the GRID is at your own risk. There is no guarantee that the
GRID will be available at any time or that it will suit any purpose.

5. Logged information, including information provided by you for
registration purposes, shall be used for administrative, operational,
accounting, monitoring and security purposes only. This information may
be disclosed to other organizations anywhere in the world for these
purposes. Although efforts are made to maintain confidentiality, no
guarantees are given. 

6. The Resource Providers, the VOs and the GRID operators are entitled
to regulate and terminate access for administrative, operational and
security purposes and you shall immediately comply with their
instructions. 

7. You are liable for the consequences of any violation by you of these
conditions of use.

------------------------------------------------------------

And here is an example VO AUP ... again rather short as you can
see.......
At the very least it needs to define the goals of the VO such that the
individual users are constrained by point 1 of the general AUP to only
perform work consistent with these goals.

------------------------------------------------------------

This Acceptable Use Policy applies to all members of the Geant4 Virtual
Organization, hereafter referred to as the VO, with reference to use of
the LCG/EGEE Grid infrastructure, hereafter referred to as the Grid. The
Geant4-Spokesman, <name-removed> (CERN), owns and gives authority to
this policy. The goal of the VO is to validate the software they provide
to their users (HEP experiments such as ATLAS, CMS, LHCb, Babar,
Astrophysics applications, biomedical communities, etc) twice per year
within the Grid environment. This procedure should cover a wide range of
parameters and physical models which are high CPU demanding. At the same
time they are planning to use regularly the LCG/EGEE resources to make
analysis and studies of their toolkit. Members and Managers of the VO
agree to be bound by the Grid Acceptable Use Policy, VO Security Policy
and other relevant Grid Policies, and to use the Grid only in the
furtherance of the stated of the VO.

------------------------------------------------------------

I hope you might find this useful.

Regards
Dave Kelsey


------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK

e-mail: D.P.Kelsey at rl.ac.uk
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------