Registration: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older edit
VisualWikitext
Admin (talk | contribs)
Bureaucrats, Interface administrators, intern, Suppressors, Administrators, translationadmin, translator
779 edits
No edit summary
No edit summary
 
(127 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{InANutshell|To use bwCloud-OS, your account must include a '''validbwIDM entitlement'''– either '''bwCloud-Basic''' or '''bwCloud-Extended'''.
 
These entitlements define whether you can access the service, how many resources (VMs, flavors) you can use, and under which operating rules.   
{{InANutshell|
Your home institution grants these entitlements and thereby controls access and billing responsibilities.
<li>Access to bwCloud-OS requires an active account from a '''bwIDM'''-participating institution.</li>
You can check your entitlement status in the [bwSupportPortal](https://bw-support.scc.kit.edu) or via the [RegApp](https://login.bwidm.de/welcome/index.xhtml).}}
<li>Your account must include a valid '''entitlement''', assigned by your '''home institution'''. This is usually automatic. If it is missing (see [[Registration#My-Entitlements|here]]), contact your institution’s IT support. The bwCloud-OS team cannot assign entitlements.</li>
<li>The entitlement carries information about the eligibility. An '''eligibility''' is the privilege to consume resources within a project and therefore for generating costs.</li>
<li>Log in once to the [https://portal.bw-cloud.org/ '''Dashboard'''] to activate your profile. Setup is automated via bwIDM.</li>
<li>After login, select your '''region''' as described [[Registration#Region-Selection|here]] to begin using bwCloud-OS.</li>}}
 
 
 
__TOC__
__TOC__
= Entitlements =
This page explains the '''bwIDM entitlements'''(bwCloud Basic, bwCloud Extended) required to use bwCloud-OS and their impact on access, resources, and operating rules.


= Identity Management =
<span id="Entitlements"></span>
'''➡️ More information in the guide about [[Guide: Registration|Registration]].'''
== What is "bwIDM" and why does it know me? ==
<span id="bwIDM"></span>
Every member of a higher education institution in Baden-Württemberg  (university, college, PH, HAW, etc.) has a personal account for accessing the IT services provided by their institution. If the institution participates in the federated identity management system  [https://www.bwidm.de/ '''bwIDM'''], its members can also apply for additional IT services offered by other participating institutions.
To allow external IT services to identify users, certain personal data is transmitted via bwIDM to these services during registration and use of the service. Federated identity management ensures, through a model of mutual trust, that the external service can verify the user’s affiliation with their institution — confirming that the account is valid and the user is officially recognized. Within the bwIDM Federation, participating institutions have agreed on a minimum set of personal data that is transmitted to external IT services. This includes standard attributes such as <code>eduPersonPrincipalName</code>, <code>mail</code>, <code>givenName</code> or <code>eduPersonEntitlement</code>.
== What happens during the registration for the bwCloud-OS service? ==
During the registration on bwIDM for the bwCloud-OS service, the following steps are streamlined:


# A user registers himself*herself.
# bwIDM requests the creation of a user account by the bwCloud-OS and forwards a set of user data.
# The bwCloud-OS parses the user data, including given [[Guide: Entitlement & Eligibility|entitlements]].
# Based on these data, a user account and a start [[Projects and Quota|project]] is created. The [[Guide: Entitlement & Eligibility#Quota flavors|quota flavor]] given in the entitlement defines the project quota. If more than one [[Guide: Entitlement & Eligibility#Quota Entitlements|quota eligibilities]] are given, a random one is chosen. [[Projects and Quota#Change-Eligibility|The eligibility can later on be changed.]]


<span id="was-sind-entitlements"></span>
= Entitlement and Eligibility =
<span id="Entitlements-bwCloud-OS"></span>


== What are "Entitlements" or "bwIDM Entitlements"? ==
'''📌 Note:''' The bwCloud(-OS) entitlement model is currently being restructured and subject to change.


Every member of an Institution (university, college, PH, HAW etc.) in Baden-Württemberg has a personal account to log on to and use the IT services provided by the institution. If the Institution is a member of the [https://www.bwidm.de/  federated identity management of Baden-Württemberg universities bwIDM], then associates of this institution can apply for further use of IT services offered by other locations.
'''➡️ More information in the guide about [[Guide: Entitlement & Eligibility|Entitlement & Eligibility]].'''


In order that these "external" IT services "know" who the user is, the following information is provided during registration and/or usage of the external IT service and some data of the user(s) is transmitted to the IT service. The federated Identity management also ensures through the mutual trust model that the external IT service knows that the user really exists at the respective institution (validation of the account).
== What is the difference between flavor, quota, and quota flavors? ==


In context of the bwIDM Federation, the participating institutions have agreed on a minimum data set, which is transmitted to the external IT service. This data record includes, for example Attribute like eduPersonalPrincipalName, mail or givenName. These are so-called "standard attributes".
* [[Instances (VMs)#Flavors|Flavor]] (or VM flavor) is a defined set of resources (core, RAM, storage) that can be chosen as the size of an instance.
* [[Projects and Quota#Quota|Quota]] (or project quota) is the amount of resources (core, RAM, storage, network, volume, etc.) a project can consume or bind.
* [[Guide: Entitlement & Eligibility#Quota flavors|Quota flavors]] is a defined set of project quotas that can be chosen as the size of a project.


However, some IT services require specific information, such as whether a home institution is permitted to use a foreign IT service at all. This specific information can be added to the personal account of the user(s) via additional assignments of a special attribute (eduPersonEntitlement).
== What is the difference between entitlement and eligibility? ==


<span id="welche-entitlements-notwendig"></span>
* [[Guide: Entitlement & Eligibility#Eligibility|Eligibility]] defines the permission for a user to consume resources in the bwCloud-OS. Inside the bwCloud-OS is only interpreting eligibilities.
* [[Guide: Entitlement & Eligibility#Entitlement URN structure|Entitlement]] is classified into two types:
** The [[Guide: Entitlement & Eligibility#Quota Entitlements|access entitlement]] defines the privilege for using the bwCloud-OS.
** [[Guide: Entitlement & Eligibility#Quota Entitlements|Quota entitlements]] containing an eligibility.


== Which Entitlements do I need to use bwCloud-OS? ==
== As a customer (institute): What do I need to prepare my IDM for the bwCloud-OS Gen3? ==
To use the bwCloud-OS you need at least one of the two entitlements:
* bwCloud-Basic
* bwCloud-Extended


Accounts can also include both entitlement elements - in this case the "higher ranking" entitlement element ('''bwCloud-Extended''') is evaluated and applied.
* You need to set the [[Guide: Entitlement & Eligibility#Access Entitlement|access entitlement]] for all members.
* Every member needs a [[Guide: Entitlement & Eligibility#Quota flavors|quota flavors]] to start using. It may be great to cover 95% of your use cases with this.
* For the other 5%, the power users, extra entitlements must be managed.


== What is regulated with the Entitlements? Why do I need these Entitlements? ==
== Is a centralized service planned to manage eligibility directly in the bwCloud-OS? ==
The entitlements serve several purposes. The most important points in the overview:
Not yet. This sounds like a complex service. There are plenty of [[Guide: Entitlement & Eligibility#Central eligibility platform|questions for this central service]] we have to ask in advance.


# Entitlements answer the question of ''who is allowed access to bwCloud-OS and who is not'' by the home locations  The users' home locations independently decide on the allocation of entitlements to their members - and thus ultimately who and how the bwCloud-OS should be used.  On our side applies from 01.10.2019: No release by the home institution via Entitlement = No access to bwCloud-OS
== What entitlement do I have to become a member of an existing project? ==
# With the entitlements we control how many resources a user is allowed to use  The following applies: the flavor table is the basis for differentiation
There is no entitlement required to become a member of an existing project. [[Projects and Quota#Can project members be changed?|New project members can be added anytime.]]
## Users who only have the bwCloud-Basic entitlement can start an instance of either "nano" or "tiny". This is a kind of "trial access" and is mainly targeted at students. Instances of this flavor are free of charge.
## Users who have the "bwCloud-Extended" entitlement will be given significantly more quotas and can therefore use all the flavors offered. The use of the bwCloud-OS will incur costs in the future.
# With the Entitlements we regulate how we handle the instances  The Eentitlement bwCloud-Basic is mainly addressed to students who want to use the bwCloud-OS for various purposes such as theses or as a software repository. Since there is a large number of students in Baden-Württemberg, we expect a correspondingly large number of small VMs to accumulate over time. At the same time, we assume that these VMs will most likely be forgotten and stay online even after their original purpose is no longer applicable". The bwIDM Entitlement bwCloud-Basic is not intended to run a (system) service permanently. We will therefore regularly delete all VMs started by users with entitlement ''bwCloud-Basic'' to "clean up" our systems and to give other users the chance to start an instance. The bwIDM Entitlement bwCloud-Basic is not intended for permanently running VMs. With bwCloud-Extended these restrictions do not exist. Here the following applies: the VMs run until they are independently deleted by the users.
# With the entitlements we know who can potentially pay for the virtual machines  To ensure the sustainable operation of the bwCloud-OS and a regular exchange of hardware and software In order to be able to ensure this, it is necessary to charge for the services used. We therefore would like to establish a cost allocation model. With the income generated in this way, we intend to renew our hardware infrastructure regularly and adapt it to requirements. In order to be able to avoid individual invoices with the users, we are going to generate so-called collective overviews and invoices", because only the home region know their users and know who has the appropriate resources to operate VMs. With the award of the Entitlements bwCloud Extended for a user, the respective home region signals two things:
## the user has access to an account with appropriate means and that
## the home site can therefore pay the total bill for the resource consumption of all users of the site.  How the costs are then allocated internally at the home site is again a matter for the respective site and can be organised individually and according to their local guidelines. Resources operated with the bwIDM Entitlement bwCloud-Basic remain free of charge: this flavor is supported by the Ministry of Science, Research and the Arts (MWK).
# We accelerate the registration process  Through the automated evaluation of the bwIDM Entitlements in the course of the registration for the service, users receive immediate feedback when the account has been set up in the bwCloud. No manual interaction from our side is necessary anymore - and so everybody wins: Users enter the bwCloud-OS within minutes and we don't have to activate anyone manually anymore.


== How can I find out which entitlements my account contains? ==
== Can I use the same entitlement or eligibility for several projects? ==
To find out which Entitlements are linked to an account, you can for example log into the "[https://login.bwidm.de/welcome/index.xhtml RegApp]" or the [https://bw-support.scc.kit.edu bwSupportPortal].
No. A user with his eligibility can only be assigned to one project, <code>{0,1}:1</code> mapping.
When logging into a RegApp or into the bwSupportPortal an overview of the data to be transmitted is displayed. This overview also includes the supplied Entitlements (see screenshot).


<div style="text-align:center;">
== I have an entitlement. How can I get a project with a quota? ==
[[File:Screenshot login bwSupportPortal.png|450x450px|border]]
Only once, during the registration of a new user, is a (start-)project automatically created from a given eligibility. Afterward, a user needs to [[Projects and Quota#How can I request a new (group) project?|request a new project]].
</div>


<br><br><br><br><br>
== How can I find out which entitlements I am owning? ==
<span id="My-Entitlements"></span>


== What do I do if my account has no bwCloud entitlement assigned to it? ==
To inspect your personal data, open the [https://login.bwidm.de/user/index.xhtml bwIDM] services and switch to the rider ''Shibboleth.'' Under <code><nowiki>urn:oid:1.3.6.1.4.1.5923.1.1.1.7</nowiki></code> (<code>eduPersonEntitlement</code>) you can see your entitlement.
The assignment of the entitlement is the sole responsibility of the respective user location. We from bwCloud-OS ''cannot add or remove Entitlements'' to user accounts! In this case, please contact the central IT service facility (computer center, IT service center, service center, ...) and request the assignment of the desired entitlement element.


= Region =  
== What should I do if my account has no bwCloud-OS entitlement assigned? ==
<span id="No-Entitlements"></span>


The assignment of entitlements is exclusively managed by your home institution. The bwCloud-OS team does '''not''' have the authority to add or remove entitlements on user accounts. If your account lacks the necessary entitlement, please contact your institution’s central IT service department or service desk.


== What does "region" mean in bwCloud-OS? ==
== When will the additional eligibility features be supported? ==
bwCloud-OS currently consists of '''four different operating sites = regions''', which can be selected and administered via a common interface (dashboard or portal). Each of the four operating sites acts as an independent region. This means: running instances in the Mannheim region receive an IP address according to the configuration of the Mannheim region. The IP address is specific to Mannheim and cannot move to another region.
We are aware that you wish to budget, control, and manage your expenses. Therefore, we designed these features. However, currently we need to get used to a large set of new processes. If the bwCloud-OS accomplishes this, additional features will be supported.


== What is a "home region"? ==
Each user in the bwCloud-OS is initially assigned a home region during the setup. For users from the four operating locations this assignment is of course trivial. For users from other locations we have oriented ourselves to the network topology of the BelWü. The goal of the current assignment is the shortest possible connection of the respective location to one of our operating sites.


The following table gives a rough overview of the current distribution of users:
= Regions =


== What does "region" mean in bwCloud-OS? ==
<span id="Regions"></span>


{| class="wikitable"
In bwCloud-OS, a '''region''' refers to one of the four operating sites: '''Freiburg''', '''Karlsruhe''', '''Mannheim''', and '''Ulm'''. Each region runs its own infrastructure but is accessible through a shared interface ([https://portal.bw-cloud.org/ Dashboard]).
! User location
! bwCloud-OS region = home region
|-
| Baden-Baden
| rowspan="5" | Karlsruhe
|-
| Karlsruhe
|-
| KIT
|-
| Pforzheim
|-
| Rastatt
|-
| Offenburg
| rowspan="3" | Freiburg
|-
| Freiburg
|-
| Furtwangen
|-
| Aalen
| rowspan="8" | Ulm
|-
| Albsing
|-
| Bieberach
|-
| Esslingen
|-
| Heidenheim
|-
| Hohenheim
|-
| Ulm
|-
| Weingarten
|-
| Gmünd
| rowspan="13" | Mannheim
|-
| Heidelberg
|-
| Heilbronn
|-
| Ludwigsburg
|-
| Mannheim
|-
| Rottenburg
|-
| Stuttgart
|-
| BSZ-BW
|-
| DHBW-VS
|-
| Konstanz
|-
| Reutlingen
|-
| Tübingen
|-
| Every other location
|}
<div style="font-size:smaller; text-align:left;">Status: July 2018</div>


Resources such as virtual machines (VMs, instances), networks, and storage are bound to the region in which they are created. For example, an instance launched in the Mannheim region will receive an IP address from Mannheim’s specific IP range(s) — this address cannot be transferred to another region.


You can switch between regions in the Dashboard interface as described [[Registration#Region-Selection|here]].


== What is my "home region"? ==
<span id="Home-Region"></span>


In bwCloud-OS, each user is initially assigned a '''home region''' during account setup. For users from one of the four operating sites (Freiburg, Karlsruhe, Mannheim, Ulm), this assignment is straightforward. For users from other institutions, the assignment is based on the network topology of [https://www.belwue.de/ BelWue] — aiming to route each user to the nearest operating site for optimal connectivity. However, you can [[Projects and Quota#Group-Project-Application|apply for a project]] with resources (also) in other regions.


In order to determine the home region, we evaluate the "affiliation" of the users during registration. If a user comes from a location that is not explicitly listed in the table, the Freiburg region is used as the default home region.
A table showing the current home region assignments can be found [[Regions|here]].  


== Where do I select the region in the dashboard? ==
== Where do I select the region in the Dashboard? ==
In the left half of the top navigation bar in the dashboard you can click on a drop-down menu to display the regions. The currently selected region is marked with a tick. A click on the respective region switches there.
<span id="Region-Selection"></span>


[[File:Select region dashboard.png|border|center|thumb|722x722px]]
You can select a region from the drop-down menu located on the left side of the top navigation bar in the [https://portal.bw-cloud.org/ Dashboard]. The currently active region is marked with a checkmark. Simply click on a different region in the list to switch to it.[[File:Region selection.png|center|thumb|722x722px]]

Latest revision as of 16:04, 2 February 2026

In a Nutshell
  • Access to bwCloud-OS requires an active account from a bwIDM-participating institution.
  • Your account must include a valid entitlement, assigned by your home institution. This is usually automatic. If it is missing (see here), contact your institution’s IT support. The bwCloud-OS team cannot assign entitlements.
  • The entitlement carries information about the eligibility. An eligibility is the privilege to consume resources within a project and therefore for generating costs.
  • Log in once to the Dashboard to activate your profile. Setup is automated via bwIDM.
  • After login, select your region as described here to begin using bwCloud-OS.


Identity Management

➡️ More information in the guide about Registration.

What is "bwIDM" and why does it know me?

Every member of a higher education institution in Baden-Württemberg (university, college, PH, HAW, etc.) has a personal account for accessing the IT services provided by their institution. If the institution participates in the federated identity management system bwIDM, its members can also apply for additional IT services offered by other participating institutions.

To allow external IT services to identify users, certain personal data is transmitted via bwIDM to these services during registration and use of the service. Federated identity management ensures, through a model of mutual trust, that the external service can verify the user’s affiliation with their institution — confirming that the account is valid and the user is officially recognized. Within the bwIDM Federation, participating institutions have agreed on a minimum set of personal data that is transmitted to external IT services. This includes standard attributes such as eduPersonPrincipalName, mail, givenName or eduPersonEntitlement.

What happens during the registration for the bwCloud-OS service?

During the registration on bwIDM for the bwCloud-OS service, the following steps are streamlined:

  1. A user registers himself*herself.
  2. bwIDM requests the creation of a user account by the bwCloud-OS and forwards a set of user data.
  3. The bwCloud-OS parses the user data, including given entitlements.
  4. Based on these data, a user account and a start project is created. The quota flavor given in the entitlement defines the project quota. If more than one quota eligibilities are given, a random one is chosen. The eligibility can later on be changed.

Entitlement and Eligibility

📌 Note: The bwCloud(-OS) entitlement model is currently being restructured and subject to change.

➡️ More information in the guide about Entitlement & Eligibility.

What is the difference between flavor, quota, and quota flavors?

  • Flavor (or VM flavor) is a defined set of resources (core, RAM, storage) that can be chosen as the size of an instance.
  • Quota (or project quota) is the amount of resources (core, RAM, storage, network, volume, etc.) a project can consume or bind.
  • Quota flavors is a defined set of project quotas that can be chosen as the size of a project.

What is the difference between entitlement and eligibility?

  • Eligibility defines the permission for a user to consume resources in the bwCloud-OS. Inside the bwCloud-OS is only interpreting eligibilities.
  • Entitlement is classified into two types:

As a customer (institute): What do I need to prepare my IDM for the bwCloud-OS Gen3?

  • You need to set the access entitlement for all members.
  • Every member needs a quota flavors to start using. It may be great to cover 95% of your use cases with this.
  • For the other 5%, the power users, extra entitlements must be managed.

Is a centralized service planned to manage eligibility directly in the bwCloud-OS?

Not yet. This sounds like a complex service. There are plenty of questions for this central service we have to ask in advance.

What entitlement do I have to become a member of an existing project?

There is no entitlement required to become a member of an existing project. New project members can be added anytime.

Can I use the same entitlement or eligibility for several projects?

No. A user with his eligibility can only be assigned to one project, {0,1}:1 mapping.

I have an entitlement. How can I get a project with a quota?

Only once, during the registration of a new user, is a (start-)project automatically created from a given eligibility. Afterward, a user needs to request a new project.

How can I find out which entitlements I am owning?

To inspect your personal data, open the bwIDM services and switch to the rider Shibboleth. Under urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) you can see your entitlement.

What should I do if my account has no bwCloud-OS entitlement assigned?

The assignment of entitlements is exclusively managed by your home institution. The bwCloud-OS team does not have the authority to add or remove entitlements on user accounts. If your account lacks the necessary entitlement, please contact your institution’s central IT service department or service desk.

When will the additional eligibility features be supported?

We are aware that you wish to budget, control, and manage your expenses. Therefore, we designed these features. However, currently we need to get used to a large set of new processes. If the bwCloud-OS accomplishes this, additional features will be supported.


Regions

What does "region" mean in bwCloud-OS?

In bwCloud-OS, a region refers to one of the four operating sites: Freiburg, Karlsruhe, Mannheim, and Ulm. Each region runs its own infrastructure but is accessible through a shared interface (Dashboard).

Resources such as virtual machines (VMs, instances), networks, and storage are bound to the region in which they are created. For example, an instance launched in the Mannheim region will receive an IP address from Mannheim’s specific IP range(s) — this address cannot be transferred to another region.

You can switch between regions in the Dashboard interface as described here.

What is my "home region"?

In bwCloud-OS, each user is initially assigned a home region during account setup. For users from one of the four operating sites (Freiburg, Karlsruhe, Mannheim, Ulm), this assignment is straightforward. For users from other institutions, the assignment is based on the network topology of BelWue — aiming to route each user to the nearest operating site for optimal connectivity. However, you can apply for a project with resources (also) in other regions.

A table showing the current home region assignments can be found here.

Where do I select the region in the Dashboard?

You can select a region from the drop-down menu located on the left side of the top navigation bar in the Dashboard. The currently active region is marked with a checkmark. Simply click on a different region in the list to switch to it.

Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Registration&oldid=1813"