Entitlements in bwCloud-OS: Difference between revisions

Entitlements in bwCloud-OS define who can access the platform (Access Control), how many resources they may use (Quota flavors), and under what conditions (Eligibility).

• Every user owns at least the empty entitlement, even if not directly specified.

Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system (bwIDM), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of eduPersonEntitlement to the user's account.

All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded. These decisions are made exclusively by the user's home institution. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.

For registration to the bwCloud-OS several criterias need to be fulfilled.

Registration and is streamlined through entitlements:

• Entitlements are automatically evaluated during registration.
• Users receive immediate access and resources once their entitlement is confirmed. No manual activation is required.

Entitlements also help define who is financially responsible for produced booking units (BEH).

The user’s home organization is responsible for:

• Verifying users have access to funding,
• Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally.

• bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.

A quota entitlement persists out of two parts, the namespace and the identifier (eligibility):

urn:geant:bwcloud-os.de:group:ELIGIBILITY

bzw.

urn:geant:bwcloud-os.de:group:<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]

The syntax for valid entitlement identifiers is described in the sections below.

There is also a special entitlement bwcloudos_access, which determines whether a user is allowed to access the bwCloud-OS at all.

urn:geant:bwcloud-os.de:bwcloudos_access

Every project is associated with an entitlement, making sure the project is chargeable.

• An eligibility is a unique combination of quota flavor, owner, and cost center.
• An eligibility can be assigned to a maximum of one project. The eligibility-project association is therefore unique.
• A limit value for BEH and validation dates may be set to restrict the duration of an eligibility.

The example in the image to the left demonstrates how costs can be accumulated based on cost centers.

Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor.

<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]

A project flavor specifies the maximum resources a project may receive.

• A quota flavor can be specified several times by using different cost centers. Each additional eligibility can be used for another project.
• A user can have several quota flavors.

The supported quota packages are described in the table below.

Each quota flavor is associated with resources granted to projects.

Cost centers are used to allocate BEH generated within projects. This string does not need to be agreed upon with us and does not need to have any meaning outside the institution.

• A cost center can be assigned to multiple eligibilities and users.
• BEH are aggregated per cost center across all projects assigned to the cost center.
• The assignment of cost centers enables customers to pass on costs (internally).

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window for the entitlement. If thes date is not given or null, the following default behavior is: Eligibility is valid from the current day on.

• Last day of validation: Eligibility is forever valid.

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window for the entitlement. If the date is not given or null, the following default behavior is: Eligibility is forever valid.

Integer (>0), that defines the maximum number of BEH that can be generated by the associated project. If the number is not given or null, the default behavior is: Eligibility is forever valid.

Granting a user a request quota for a project up to the medium flavor.

urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42

Interpreted as eligibility:

quota_flavor = bwcloudos_medium_1
cost_center_id = 42
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = inf

Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. All generated booking units will be charged under the bill position student.

urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000

Interpreted as eligibility:

quota_flavor = bwcloudos_large_1
cost_center_id = student
first_day_of_validation = {{today}}
last_day_of_validation = 31.12.2026
max_booking_units = 5000

A xtiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year.

urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null

Interpreted as eligibility:

quota_flavor = bwcloudos_xtiny_1
cost_center_id = hfu_informatics_faculty
first_day_of_validation = 01.02.2026
last_day_of_validation = 01.02.2027
max_booking_units = inf

urn:geant:bwcloud-os.de:group:bwcloudos_xmedium_1:hfu_informatics_faculty:null:null:1000000

Interpreted as eligibility:

quota_flavor = bwcloudos_xtiny_1
cost_center_id = hfu_informatics_faculty
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = 1000000