Entitlements in bwCloud-OS

From bwCloud-OS
Revision as of 16:38, 15 December 2025 by As1844 (talk | contribs)
Jump to navigation Jump to search
⚠️ Please Note: This page is currently under development.
This page is about the entitlements for the bwCloud-OS NG. Please visit entitlements for bwCloud-SCOPE for the legacy information.

Entitlements in bwCloud-OS define who can access the platform (Access Control), how many resources they may use (Quota flavors), and under what conditions (Eligibility).

  • Every user owns at least the empty entitlement, even if not directly specified.

Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system (bwIDM), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of eduPersonEntitlement to the user's account.

All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded. These decisions are made exclusively by the user's home institution. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.

In a Nutshell
    An entitlement is given to users by the home organization and corresponds to the eligibility to generate costs.

Motivation

Access Control

For registration to the bwCloud-OS several criterias need to be fulfilled.

Automated Registration

Registration and is streamlined through entitlements:

  • Entitlements are automatically evaluated during registration.
  • Users receive immediate access and resources once their entitlement is confirmed. No manual activation is required.

Reimbursement

Entitlements also help define who is financially responsible for produced booking units (BEH).

The user’s home organization is responsible for:

  • Verifying users have access to funding,
  • Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally.
  • bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.

Entitlement URN structure

Quota Entitlements

A quota entitlement persists out of two parts, the namespace and the identifier (eligibility): 

urn:geant:bwcloud-os.de:group:ELIGIBILITY

bzw. 

urn:geant:bwcloud-os.de:group:<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]

The syntax for valid entitlement identifiers is described in the sections below.

Special Entitlements

There is also a special entitlement bwcloudos_access, which determines whether a user is allowed to access the bwCloud-OS at all. 

urn:geant:bwcloud-os.de:bwcloudos_access
permition Note
bwcloudos_access Allows the registration for the bwCloud-OS via RegApp

Eligibility

Every project is associated with an entitlement, making sure the project is chargeable.

  • An eligibility is a unique combination of quota flavor, owner, and cost center.
  • An eligibility can be assigned to a maximum of one project. The eligibility-project association is therefore unique.
  • A limit value for BEH and validation dates may be set to restrict the duration of an eligibility.

Example Eligibility usage

Example usage for eligibility by different home organizations with various users.

The example in the image to the left demonstrates how costs can be accumulated based on cost centers.

Structure

Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor. 

<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]

Quota flavors

A project flavor specifies the maximum resources a project may receive.

  • A quota flavor can be specified several times by using different cost centers. Each additional eligibility can be used for another project.
  • A user can have several quota flavors.

The supported quota packages are described in the table below.

List of supported quota flavors
quota flavor Note
bwcloudos_empty Default case. User can’t generate costs.
bwcloudos_tiny_1
bwcloudos_xtiny_1
bwcloudos_medium_1
bwcloudos_xmedium_1
bwcloudos_large_1
bwcloudos_xlarge_1
bwcloudos_custom User can choose the quota to be requested.

Each quota flavor is associated with resources granted to projects.

Resources associated with each quota flavor
Entitlement instances cores ram_gb volumes volumes_gb backups backups_gb networks subnets routers floating_ips
bwcloudos_empty 0 0 0 0 0 0 0 0 0 0 0
bwcloudos_tiny_1 1 1 1 10 100 30 300 10 10 1 0
bwcloudos_xtiny_1 2 2 2 10 100 30 300 10 10 1 0
bwcloudos_medium_1 4 4 4 20 200 60 600 10 10 1 1
bwcloudos_xmedium_1 8 8 8 20 200 60 600 10 10 1 1
bwcloudos_large_1 16 16 16 40 400 120 1200 20 20 2 2
bwcloudos_xlarge_1 32 32 32 40 400 120 1200 20 20 2 2
bwcloudos_custom * * * * * * * * * * *

Cost centers

Cost centers are used to allocate BEH generated within projects. This string does not need to be agreed upon with us and does not need to have any meaning outside the institution.

  • A cost center can be assigned to multiple eligibilities and users.
  • BEH are aggregated per cost center across all projects assigned to the cost center.
  • The assignment of cost centers enables customers to pass on costs (internally).

First day of validation

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window for the entitlement. If thes date is not given or null, the following default behavior is: Eligibility is valid from the current day on.

  • Last day of validation: Eligibility is forever valid.

Last day of validation

Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window for the entitlement. If the date is not given or null, the following default behavior is: Eligibility is forever valid.

Maximal number of booking units

Integer (>0), that defines the maximum number of BEH that can be generated by the associated project. If the number is not given or null, the default behavior is: Eligibility is forever valid.

Example Entitlement

Example 1

Granting a user a request quota for a project up to the medium flavor. 

urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42

Interpreted as eligibility: 

quota_flavor = bwcloudos_medium_1
cost_center_id = 42
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = inf

Example 2

Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. All generated booking units will be charged under the bill position student. 

urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000

Interpreted as eligibility: 

quota_flavor = bwcloudos_large_1
cost_center_id = student
first_day_of_validation = {{today}}
last_day_of_validation = 31.12.2026
max_booking_units = 5000

Example 3

A xtiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year. 

urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null

Interpreted as eligibility: 

quota_flavor = bwcloudos_xtiny_1
cost_center_id = hfu_informatics_faculty
first_day_of_validation = 01.02.2026
last_day_of_validation = 01.02.2027
max_booking_units = inf

Example 4

urn:geant:bwcloud-os.de:group:bwcloudos_xmedium_1:hfu_informatics_faculty:null:null:1000000

Interpreted as eligibility: 

quota_flavor = bwcloudos_xtiny_1
cost_center_id = hfu_informatics_faculty
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = 1000000
Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Entitlements_in_bwCloud-OS&oldid=1557"