➡️ More information in the guide about Registration.

Every member of a higher education institution in Baden-Württemberg (university, college, PH, HAW, etc.) has a personal account for accessing the IT services provided by their institution. If the institution participates in the federated identity management system bwIDM, its members can also apply for additional IT services offered by other participating institutions.

To allow external IT services to identify users, certain personal data is transmitted via bwIDM to these services during registration and use of the service. Federated identity management ensures, through a model of mutual trust, that the external service can verify the user’s affiliation with their institution — confirming that the account is valid and the user is officially recognized. Within the bwIDM Federation, participating institutions have agreed on a minimum set of personal data that is transmitted to external IT services. This includes standard attributes such as eduPersonPrincipalName, mail, givenName or eduPersonEntitlement.

During the registration on bwIDM for the bwCloud-OS service, the following steps are streamlined:

1. A user registers himself*herself.
2. bwIDM requests the creation of a user account by the bwCloud-OS and forwards a set of user data.
3. The bwCloud-OS parses the user data, including given (quota-)entitlements.
4. Based on these data, a user account and a start project is created. The quota flavor given in the entitlement defines the project quota. If more than one quota eligibilities are given, a random one is chosen. The eligibility can later on be changed.

📌 Note: The bwCloud(-OS) entitlement model is currently being restructured and subject to change.

➡️ More information in the guide about Entitlement & Eligibility.

• Flavor (or VM flavor) is a defined set of resources (core, RAM, storage) that can be chosen as the size of an instance.
• Quota (or project quota) is the amount of resources (core, RAM, storage, network, volume, etc.) a project can consume or bind.
• Quota flavors is a defined set of project quotas that can be chosen as the size of a project (Applies only to Gen3).

• Eligibility defines the permission for a user to consume resources in the bwCloud-OS. Inside the bwCloud-OS is only interpreting eligibilities.
• Entitlement is classified into two types:
  • The access entitlement defines the privilege for using the bwCloud-OS.
  • Quota entitlements containing the data for the eligibility.

• You need to set the access entitlement for all members.
• Every member needs a quota flavors to start using. It may be great to cover 95% of your use cases with this.
• For the other 5%, the power users, extra entitlements must be managed.

Not yet. Providing a rule-based assignment of eligibilities is a complex service. There are plenty of questions for this central service we have to ask in advance. E.g. What data can be used to treat user? ..

There is no entitlement required to become a member of an existing project. New project members can be added anytime.

No. A user with his eligibility can only be assigned to one project, {0,1}:1 mapping.

Only once, during the registration of a new user, is a (start-)project automatically created from a given eligibility. Afterward, a user needs to request a new project.

To inspect your personal data, open the bwIDM services portal and switch to the "Shibboleth" tab.

Under urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement), you can view the entitlements assigned to your account.

For bwCloud-OS (Gen3), there are two relevant entries:

1. urn:geant:dfn.de:bwidm:bwcloud-os:access
   This entry allows you to register for the bwCloud-OS service. By itself, however, it does not define any quotas; the default is empty (all zero).
2. urn:geant:dfn.de:bwidm:bwcloud-os:group:medium_1:0123456789
   This entry specifies that, during registration, your project quota is assigned according to the quota-flavor medium_1. It also records the associated cost center (0123456789) for accounting purposes.

Once you have registered successfully, the service "bwCloud-OS (Gen3)" will appear on the same site under "Registered Services". From there, you can also deregister from the service.

The assignment of entitlements is exclusively managed by your home institution. The bwCloud-OS team does not have the authority to add or remove entitlements on user accounts. If your account lacks the necessary entitlement, please contact your institution’s central IT service department or service desk.

We are aware that you wish to budget, control, and manage your expenses. Therefore, we designed these features. However, currently we need to get used to a large set of new processes. If the bwCloud-OS accomplishes this, additional features will be supported.

Yes. The Gen2 environment only respects the Gen2 entitlements and the Gen3 environment only respects the Gen3 entitlements.

This is possible. But then during registration no quota is granted for the (start-)projects of the members from your institution. The (start-)project is linked with the empty-eligibility. In general, the users are prohibited from obtaining resources.

In bwCloud-OS, a region refers to one of the four operating sites: Freiburg, Karlsruhe, Mannheim, and Ulm. Each region runs its own infrastructure but is accessible through a shared interface (Dashboard).

Resources such as virtual machines (VMs, instances), networks, and storage are bound to the region in which they are created. For example, an instance launched in the Mannheim region will receive an IP address from Mannheim’s specific IP range(s) — this address cannot be transferred to another region.

You can switch between regions in the Dashboard interface as described here.

In bwCloud-OS, each user is initially assigned a home region during account setup. For users from one of the four operating sites (Freiburg, Karlsruhe, Mannheim, Ulm), this assignment is straightforward. For users from other institutions, the assignment is based on the network topology of BelWue — aiming to route each user to the nearest operating site for optimal connectivity. However, you can apply for a project with resources (also) in other regions.

A table showing the current home region assignments can be found here.

You can select a region from the drop-down menu located on the left side of the top navigation bar in the Dashboard. The currently active region is marked with a checkmark. Simply click on a different region in the list to switch to it.