Entitlements in bwCloud-OS: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
No edit summary
No edit summary
Line 6: Line 6:
|}
|}


<span id="In-a-Nutshell"></span>
Entitlements in bwCloud-OS define '''who can access the platform''' ([[Entitlements in bwCloud-OS#Access Control via Entitlements|Access Control]]), '''how many resources they may use''' ([[Entitlements in bwCloud-OS#Quota flavors|Quota flavors]]), and '''under what conditions''' ([[Entitlements in bwCloud-OS#Eligibility JSON|Eligibility]]).  
{{InANutshell|  
<li>is a information string, given by the home organization</li>
<li>a customer can use the entitlements to allow their members to consume in the bwCloud-OS and to control eventual costs.</li>
}}


Entitlements in bwCloud-OS define '''who can access the platform''' ([[Entitlements in bwCloud-OS#Access Control via Entitlements|Access Control]]), '''how many resources they may use''' ([[Entitlements in bwCloud-OS#Quota flavors|Quota flavors]]), and '''under what conditions''' ([[Entitlements in bwCloud-OS#Eligibility JSON|Eligibility]]).  
* Every user owns at least the empty entitlement, even if not directly specified.


Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system ('''bwIDM'''), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of <code>eduPersonEntitlement</code>, to the user's account.
Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system ('''bwIDM'''), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of <code>eduPersonEntitlement</code> to the user's account.


All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded.  These decisions are made '''exclusively by the user's home institution'''. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.
All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded.  These decisions are made '''exclusively by the user's home institution'''. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.<span id="In-a-Nutshell"></span>{{InANutshell|An entitlement is given to users by the home organization and corresponds to the eligibility to generate costs.}}


__TOC__
__TOC__
Line 23: Line 19:


=== Access Control ===
=== Access Control ===
Accessing the bwCloud-OS requires a [[registration]] in advance. The entitlement ''bwcloudos_access'' determines, besides other criteria, whether a user is allowed to access / register for the bwCloud-OS at all.
For [[registration]] to the bwCloud-OS [[several criterias]] need to be fulfilled.


=== Automated Registration ===
=== Automated Registration ===
[[Registration]] is streamlined through entitlements:
[[Registration]] and  is streamlined through entitlements:
* Entitlements are '''automatically evaluated''' during registration.
* Entitlements are '''automatically evaluated''' during registration.
* Users receive '''immediate access''' '''and resources''' once their entitlement is confirmed. '''No manual activation is required'''.
* Users receive '''immediate access''' '''and resources''' once their entitlement is confirmed. '''No manual activation is required'''.


=== Cost Allocation and Funding Model ===
=== Reimbursement ===
Entitlements also help define '''who is financially responsible''' for resource usage. To ensure sustainable operation and future hardware/software upgrades, bwCloud-OS is moving toward a '''cost allocation model'''.
Entitlements also help define '''who is financially responsible''' for produced [[booking units]] (BEH).
 
The user’s home organization is responsible for:
* Verifying users have access to funding,
* Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally.  


* The user’s institution is responsible for:
** Verifying users have access to funding.
** Covering the collective costs for all users from that institution.
* bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.
* bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.


== Entitlement structure ==
== Entitlement URN structure ==
An entitlement persists out of two parts, the [[Entitlements in bwCloud-OS#Quota flavors|Quota flavors]] and optionally the [[Entitlements in bwCloud-OS#Eligibility|Eligibility]]:
 
  <nowiki>urn:geant:bwcloud-os.de:group:QUOTA_FLAVOR</nowiki>[:ELIGIBILITY]
=== Quota Entitlements ===
A quota entitlement persists out of two parts, the namespace and the identifier ([[Entitlements in bwCloud-OS#Eligibility|eligibility]]):
  <nowiki>urn:geant:bwcloud-os.de:group:ELIGIBILITY</nowiki>
bzw.
bzw.
  <nowiki>urn:geant:bwcloud-os.de:group</nowiki>:<quota_flavor>[:<cost_center_id>:<first_day_valid>:<last_day_valid>:<max_booking_units>]
  [urn:geant:bwcloud-os.de:group:&#x3C;quota_flavor&#x3E;:&#x3C;cost_center_id <nowiki>urn:geant:bwcloud-os.de:group</nowiki>:<quota_flavor>:<cost_center_id]>[:<first_day_of_validation>:<last_day_of_validation>:<max_booking_units>]
The valid syntax is described in the sections below.
The syntax for valid entitlement identifiers is described in the sections below.
 
=== Example Entitlements ===
 
==== Example 1 ====
Granting a user to request quota for a project up to the medium flavor.
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_medium_1</nowiki>
 
==== Example 2 ====
Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. All generated booking units will be charged under the bill position ''student.''
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student::2026-12-31:5000</nowiki>
 
==== Example 3 ====
A tiny project can be requested. The consumed booking units will aggregate under the position for the ''technical_faculty''.
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:technical_faculty</nowiki>:::


=== Special Entitlements ===
=== Special Entitlements ===
There is also the Entitlement ''bwcloudos_access'' that is further described in [[Entitlements in bwCloud-OS#Access Control via Entitlements|Access Control via Entitlements]].
There is also a special entitlement ''bwcloudos_access'', which determines whether a user is allowed to access the bwCloud-OS at all.
<nowiki>urn:geant:bwcloud-os.de:bwcloudos_access</nowiki>
{| class="wikitable"
{| class="wikitable"
!Entitlement
!permition
!Note
!Note
|-
|-
Line 69: Line 55:
|}
|}


== Quota flavors ==
== Eligibility ==
Every [[Projects and Quota|project]] is associated with an entitlement, making sure the project is chargeable.
 
* An eligibility is a unique combination of quota flavor, owner, and cost center.
* An eligibility can be assigned to a maximum of one project. The eligibility-project association is therefore unique.
* A limit value for BEH and validation dates may be set to restrict the duration of an eligibility.
 
=== Example Eligibility usage ===
[[File:Example_eligibiliy.png|thumb|305x305px|Example usage for eligibility by different home organizations with various users.]]
The example in the image to the left demonstrates how costs can be accumulated based on cost centers. 
=== Structure ===
Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor.
<quota_flavor>:<cost_center_id>[:<first_day_of_validation>:<last_day_of_validation>:<max_booking_units>]
 
=== Quota flavors ===
A project flavor specifies the maximum resources a project may receive.
 
* A quota flavor can be specified several times by using different cost centers. Each additional eligibility can be used for another project.
* A user can have several quota flavors.
 
The supported quota packages are described in the table below.
The supported quota packages are described in the table below.
{| class="wikitable"
{| class="wikitable"
Line 100: Line 105:
|User can choose the quota to be requested.
|User can choose the quota to be requested.
|}
|}
Each quota flavor is associated with resources granted to [[Projects and Quota|Projects]].
Each quota flavor is associated with resources granted to [[Projects and Quota|projects]].
{| class="wikitable"
{| class="wikitable"
|+Resources associated with each quota flavor
|+Resources associated with each quota flavor
Line 220: Line 225:
| valign="top" |*
| valign="top" |*
|}
|}
== Eligibility ==


=== Structure ===
=== Cost centers ===
Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor.
Cost centers are used to allocate BEH generated within projects. This string does not need to be agreed upon with us and does not need to have any meaning outside the institution.
  <cost_center_id>:<first_day_valid>:<last_day_valid>:<max_booking_units>
 
This JSON needs to be utf-8 and base64 encoded.
* A cost center can be assigned to multiple eligibilities and users.
* BEH are aggregated per cost center across all projects assigned to the cost center.
* The assignment of cost centers enables customers to pass on costs (internally).
 
=== First and last day of validation ===
Specific day in the <code>yyyy-mm-dd</code> format that allows the institute to limit the validation window for the entitlement.
 
=== Maximal number of booking units ===
Integer (<code>>0</code>), that defines the maximum number of BEH that can be generated by the associated project.
 
== Example Entitlement ==
 
==== Example 1 ====
Granting a user a request quota for a project up to the medium flavor.
  <nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42:null:null:null</nowiki>
Interpreted as eligibility:
quota_flavor = bwcloudos_medium_1
cost_center_id = 42
first_day_of_validation = <nowiki>{{today}}</nowiki>
last_day_of_validation = inf
max_booking_units = inf


=== Detailed ===
==== Example 2 ====
Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce <code>5000</code> booking units. All generated booking units will be charged under the bill position ''student.''
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000</nowiki>
Interpreted as eligibility:
quota_flavor = bwcloudos_large_1
cost_center_id = student
first_day_of_validation = <nowiki>{{today}}</nowiki>
last_day_of_validation = 31.12.2026
max_booking_units = 5000


{| class="mw-message-box mw-message-box-warning"
==== Example 3 ====
| style="vertical-align:middle;" | '''⚠️ Attention:''' Comments are not allowed by JSON and must be removed to provide a valid data structure!
A tiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year.
|}
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null</nowiki>
{
Interpreted as eligibility:
  # Optional: Define eligibilities
quota_flavor = bwcloudos_xtiny_1
  "eligs":
  cost_center_id = hfu_informatics_faculty
  [
first_day_of_validation = 01.02.2026
    # First eligibility
last_day_of_validation = 01.02.2027
    {
  max_booking_units = inf
      # Optional: The ID/ name of your cost center. The fallback is to address this to the
      #          'home organization' of the entitlement owner.
      "cc_id": "COST_CENTER_ID",
     
      # Optional: Day with that, this eligibility starts to be valid. Default behavior is
      #          valid from day one.
      "first_val": "YYYY-MM-DD",
     
      # Optional: Day after which this eligibility is no longer valid. Default behavior is
      #          valid until removed from the entitlement of the owner.
      "last_val": "YYYY-MM-DD",
     
      # Optional: Number representing consumable booking units, after which this
      #          eligibility is no longer debitable for this user. Default behavior is
      #          unlimited.
      "max_bu": "INTEGER"
    },
   
    # Next eligibility
    {
    ...
    }
  ]
  }

Revision as of 15:04, 15 December 2025

⚠️ Please Note: This page is currently under development.
This page is about the entitlements for the bwCloud-OS NG. Please visit entitlements for bwCloud-SCOPE for the legacy information.

Entitlements in bwCloud-OS define who can access the platform (Access Control), how many resources they may use (Quota flavors), and under what conditions (Eligibility).

  • Every user owns at least the empty entitlement, even if not directly specified.

Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system (bwIDM), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of eduPersonEntitlement to the user's account.

All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded. These decisions are made exclusively by the user's home institution. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.

In a Nutshell
    An entitlement is given to users by the home organization and corresponds to the eligibility to generate costs.

Motivation

Access Control

For registration to the bwCloud-OS several criterias need to be fulfilled.

Automated Registration

Registration and is streamlined through entitlements:

  • Entitlements are automatically evaluated during registration.
  • Users receive immediate access and resources once their entitlement is confirmed. No manual activation is required.

Reimbursement

Entitlements also help define who is financially responsible for produced booking units (BEH).

The user’s home organization is responsible for:

  • Verifying users have access to funding,
  • Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally.
  • bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.

Entitlement URN structure

Quota Entitlements

A quota entitlement persists out of two parts, the namespace and the identifier (eligibility): 

urn:geant:bwcloud-os.de:group:ELIGIBILITY

bzw. 

urn:geant:bwcloud-os.de:group:<quota_flavor>:<cost_center_id>[:<first_day_of_validation>:<last_day_of_validation>:<max_booking_units>]

The syntax for valid entitlement identifiers is described in the sections below.

Special Entitlements

There is also a special entitlement bwcloudos_access, which determines whether a user is allowed to access the bwCloud-OS at all. 

urn:geant:bwcloud-os.de:bwcloudos_access
permition Note
bwcloudos_access Allows the registration for the bwCloud-OS via RegApp

Eligibility

Every project is associated with an entitlement, making sure the project is chargeable.

  • An eligibility is a unique combination of quota flavor, owner, and cost center.
  • An eligibility can be assigned to a maximum of one project. The eligibility-project association is therefore unique.
  • A limit value for BEH and validation dates may be set to restrict the duration of an eligibility.

Example Eligibility usage

Example usage for eligibility by different home organizations with various users.

The example in the image to the left demonstrates how costs can be accumulated based on cost centers.

Structure

Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor. 

<quota_flavor>:<cost_center_id>[:<first_day_of_validation>:<last_day_of_validation>:<max_booking_units>]

Quota flavors

A project flavor specifies the maximum resources a project may receive.

  • A quota flavor can be specified several times by using different cost centers. Each additional eligibility can be used for another project.
  • A user can have several quota flavors.

The supported quota packages are described in the table below.

List of supported quota flavors
quota flavor Note
bwcloudos_empty Default case. User can’t generate costs.
bwcloudos_tiny_1
bwcloudos_xtiny_1
bwcloudos_medium_1
bwcloudos_xmedium_1
bwcloudos_large_1
bwcloudos_xlarge_1
bwcloudos_custom User can choose the quota to be requested.

Each quota flavor is associated with resources granted to projects.

Resources associated with each quota flavor
Entitlement instances cores ram_gb volumes volumes_gb backups backups_gb networks subnets routers floating_ips
bwcloudos_empty 0 0 0 0 0 0 0 0 0 0 0
bwcloudos_tiny_1 1 1 1 10 100 30 300 10 10 1 0
bwcloudos_xtiny_1 2 2 2 10 100 30 300 10 10 1 0
bwcloudos_medium_1 4 4 4 20 200 60 600 10 10 1 1
bwcloudos_xmedium_1 8 8 8 20 200 60 600 10 10 1 1
bwcloudos_large_1 16 16 16 40 400 120 1200 20 20 2 2
bwcloudos_xlarge_1 32 32 32 40 400 120 1200 20 20 2 2
bwcloudos_custom * * * * * * * * * * *

Cost centers

Cost centers are used to allocate BEH generated within projects. This string does not need to be agreed upon with us and does not need to have any meaning outside the institution.

  • A cost center can be assigned to multiple eligibilities and users.
  • BEH are aggregated per cost center across all projects assigned to the cost center.
  • The assignment of cost centers enables customers to pass on costs (internally).

First and last day of validation

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window for the entitlement.

Maximal number of booking units

Integer (>0), that defines the maximum number of BEH that can be generated by the associated project.

Example Entitlement

Example 1

Granting a user a request quota for a project up to the medium flavor. 

urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42:null:null:null

Interpreted as eligibility: 

quota_flavor = bwcloudos_medium_1
cost_center_id = 42
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = inf

Example 2

Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. All generated booking units will be charged under the bill position student. 

urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000

Interpreted as eligibility: 

quota_flavor = bwcloudos_large_1
cost_center_id = student
first_day_of_validation = {{today}}
last_day_of_validation = 31.12.2026
max_booking_units = 5000

Example 3

A tiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year. 

urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null

Interpreted as eligibility: 

quota_flavor = bwcloudos_xtiny_1
cost_center_id = hfu_informatics_faculty
first_day_of_validation = 01.02.2026
last_day_of_validation = 01.02.2027
max_booking_units = inf
Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Entitlements_in_bwCloud-OS&oldid=1553"