Guide: Entitlement & Eligibility: Difference between revisions

➡️ Back to the FAQ for Registration & Entitlements.

Entitlements in bwCloud-OS define who can access the platform (Access Control) and how many resources they may use and under what conditions (Eligibility).

• Entitlements are strings assigned to a user carrying information about his/her privileges.
• Every quota entitlements (which can be seen as a "package") contains an eligibility. After "unpacking", the bwCloud-OS works only with the eligibility.
• Every user owns at least the empty eligibility.
• Every project needs to be linked with an eligibility.

Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system (bwIDM), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of eduPersonEntitlement to the user's account.

All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded. These decisions are made exclusively by the user's home institution. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.

The bwCloud-OS negotiated only contracts with institutions (customers) but not with individual members (users). This is a crucial difference compared to other known cloud providers. Further, there are several different types of sponsors (e.g., faculties, research projects) located at the institutes that need to be enhanced to manage the resources of sub-groups of their members (e.g., students of a faculty).

For registration to the bwCloud-OS several Condition of use need to be fulfilled. By rolling out the access entitlement home organizations can manage by themselves who is allowed to access the bwCloud-OS.

Registration is streamlined through entitlements:

• Entitlements are automatically evaluated during registration.
• Users receive immediate access and resources (project quota) once their entitlement is confirmed. No manual activation is required.

All consumptions within the bwCloud-OS, within projects, are charged. Hence, for each project, a customer is required, which differs from the user or owner.

Charging will be based on the projects booking units (BEH) and will be addressed to the project owner's home organization.

The institutes can define an internal process so their members can set entitlements in the home IdP.

Entitlements also help define who is financially responsible for producing BEH.

• Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally.

• bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.

Sometimes resources should only be consumed up to a certain level or amount of time.

• Constraints can be used to manage the valid period for eligibility.
• After reaching an eligibility constraint, no more costs can be produced within the associated project.

The gimmic with the eligibility enhances (later) the bwCloud-OS local support to manage quota privileges within the bwCloud-OS environment. Such a central service could simplify local processes within the customers.

The institutions are sending two types of entitlements to the bwCloud-OS, quota and access entitlements. Often the term 'entitlement' refers only to the quota entitlements.

A quota entitlement consists of two parts, the namespace and the identifier (eligibility):

urn:geant:dfn.de:bwidm:bwcloud-os:group:ELIGIBILITY

bzw.

urn:geant:dfn.de:bwidm:bwcloud-os:group:<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]

The syntax for valid eligibilitues is described in the sections below.

There is also a special entitlement access, which determines whether a user is allowed to access the bwCloud-OS at all. On the level of the bwIDM is this entitlement necessary to register for the bwCloud-OS.

urn:geant:dfn.de:bwidm:bwcloud-os:access

Every project is associated with an entitlement, making sure the project is chargeable.

• An eligibility is a unique combination of owner, quota flavor, and cost center.
• An eligibility can be assigned to a maximum of one project. The eligibility-project association is therefore unique.
• A limit value for BEH and validation dates may be set to restrict the duration of an eligibility.

Optionally, the following structure for Eli may be used to provide further information and define constraints for the quota flavor:

<quota_flavor>:<cost_center_id>[:CONSTRAINTS]

respectively

<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]

The given quota flavor name refers to the quota flavor that specifies the maximum resources a project may receive.

• A user can have several quota flavors.
• A quota flavor can be specified several times by using different cost centers. Each additional eligibility can be used for another project.

The given quota flavor name must be within the list of support project quota flavors.

Each user owns this eligibility. This is set for each user within the bwCloud-OS environment and can't be removed from a user. An empty quota entitlement can't be given explicitly. Furthermore, this eligibility, and only this, can be used for multiple projects.

Cost centers are used to allocate BEH generated within projects. This string does not need to be agreed upon with us and does not need to have any meaning outside the institution.

• A cost center (id) can be assigned to multiple eligibilities and users.
• BEH are aggregated per cost center across all projects assigned to the cost center.
• The assignment of cost centers enables customers to pass on costs (internally).

For a cost center, only the symbols [a-zA-Z0-9-_] and a maximal length of 50 characters are allowed.

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window to begin for the eligibility. If the date is not given or null, the eligibility is valid from the current day on.

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window end for the eligibility. If the date is not given or null, the eligibility is forever valid.

Integer, that defines the maximum number of BEH that can be generated by the associated project. If the number is not given or null, the default behavior is: Eligibility is forever valid. The number of booking units must be at least 2000.

We provide a REST-API that can be used for validating syntax and checking the interpretation of an entitlement and an eligibility.

Granting a user a request quota for a project up to the medium flavor. All generated booking units will be charged under the bill position 42. Since the constraints section is not defined, the default values are applied.

urn:geant:dfn.de:bwidm:bwcloud-os:group:medium_1:42

Interpreted as eligibility:

quota_flavor = medium_1
cost_center_id = 42
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = inf

owner = {{user.eppn}}
customer = {{user.home_organization}}

Allow a user to request a quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 BEH. The booking units for all projects with the cost center student will be charged under the same bill position.

urn:geant:dfn.de:bwidm:bwcloud-os:group:large_1:student:null:2026-12-31:5000

Interpreted as eligibility:

quota_flavor = large_1
cost_center_id = student
first_day_of_validation = {{today}}
last_day_of_validation = 31.12.2026
max_booking_units = 5000

owner = {{user.eppn}}
customer = {{user.home_organization}}

A xtiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year. Costs are allocated to cost center hfu_netze2.

urn:geant:dfn.de:bwidm:bwcloud-os:group:xtiny_1:hfu_netze2:2026-02-01:2027-01-31:null

Interpreted as eligibility:

quota_flavor = xtiny_1
cost_center_id = hfu_netze2
first_day_of_validation = 01.02.2026
last_day_of_validation = 31.01.2027
max_booking_units = inf

owner = {{user.eppn}}
customer = {{user.home_organization}}

A user with this entitlement will book the costs on the cost center ufr_technical_faculty and must stop when the project consumes 1000000 BEH.

urn:geant:dfn.de:bwidm:bwcloud-os:group:xmedium_1:ufr_technical_faculty:null:null:1000000

Interpreted as eligibility:

quota_flavor = large_1
cost_center_id = ufr_technical_faculty
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = 1000000

owner = {{user.eppn}}
customer = {{user.home_organization}}

The example in the image to the left demonstrates how costs can be accumulated based on cost centers.