Page History

Why? You realise you need to enforce a policy only once things do not 'go as planned' - and having the discussion on acceptance at that point is rather late. And how can users, for instance, know what they are allowed to do with the research data, or when to ask for additional roles and group membership from membership management? 

Recommendation: the Policy Development Kit identifies five different 'audiences': governance, your users, the user home organisations and identity providers, the AAI management of the collaboration, and the infrastructures and service providers that control and host data, computing capacity, and the data transfer networks. Make sure all of then can access and understand your policies and processes, can work with you when you execute procedures for incident response, and engage with Sirtfi and security readiness exercises. 
Notice Management helps to communicate with users in a coordinated way, and prevent needless pop-ups that interrupt their workflow. If you engage an AAI service provider, they may be able to help with communication. 
If you used a DNS name for your community, and you can resolve the domain name to point to a web site, that is a great place to present your collaboration and provide questions & answers as well as contact details.

Applicable guidance: AARC-G083 on notice management, WISE Baseline AUP and AARC-I044, Privacy Notices, REFEDS DP CoCo v2, membership management

Why? Presenting policies and practices is one thing, but the AARC Blueprint Architecture also introduced a (chain of) AAI platforms or 'proxies' that augment, translate, or otherwise munge information about users and 'sources of authority'. Both for authentication sources and for service providers, it places intermediates in the chain of trust, and the longer the chain is, the more this trust will be diluted. Transparency through documentation can help retain that trust. And at the same time make it easier for the collaboration to engage with the users regarding the AAI. If identity is not bound to the user but to the user's home organisation (employer, university), the home organisation may be reluctant to make any claims for the authentication, even for trivial ones like name and email address (the 'personalised access' attributes that are foundational for research and scholarship). Or refuse to partake in authentication at all.

Recommendation: publish your policies, but especially your contact information, in a place where users, relying parties, and home organisations can find it. If you chose a DNS-based community name, and you can resolve the domain name to point to a web site, that is a good place to present this information. And if confidentiality is needed, you may have your own AAI to help you! 

Applicable guidance: AARC-G071 (AAOPS), your web team ... and your governance structure, AARC-G083 on notice management, REFEDS Research and Scholarship, REFEDS Personalised Access,