Versions Compared

Old Version 101

changes.mady.by.user David Groep

Saved on

compared with

New Version 102

changes.mady.by.user David Groep

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleDefine or adopt as-is the basic set of six policy documents for collaboration - and seek endorsement by your governance body

Why? This basic set of 6 documents helps get a sufficient set of collaboration guidelines quickly - you can always adapt them later

Recommendation: these are the documents you surely need - or you need to ask from your AAI provider:

Applicable guidance: REFEDS privacy notice, UK-IRIS example privacy notice, EOSC, UK-IRIS security policies, AARC-I051 "federated incident response procedure"

...

Expand
titleEnsure that the policies are presented to and accepted by the relevant audiences

Why? You realise you need to enforce a policy only once things do not 'go as planned' - and having the discussion on acceptance at that point is rather late. And how can users, for instance, know what they are allowed to do with the research data, or when to ask for additional roles and group membership from membership management? 

Recommendation: the Policy Development Kit identifies five different 'audiences': governance, your users, the user home organisations and identity providers, the AAI management of the collaboration, and the infrastructures and service providers that control and host data, computing capacity, and the data transfer networks. Make sure all of then can access and understand your policies and processes, can work with you when you execute procedures for incident response, and engage with Sirtfi and security readiness exercises. 
Notice Management helps to communicate with users in a coordinated way, and prevent needless pop-ups that interrupt their workflow. If you engage an AAI service provider, they may be able to help with communication. 
If you used a DNS name for your community, and you can resolve the domain name to point to a web site, that is a great place to present your collaboration and provide questions & answers as well as contact details.

Applicable guidance: AARC-G083 on notice management, WISE Baseline AUP and AARC-I044, Privacy Notices, REFEDS DP CoCo v2, membership management

Expand
titlePublish your documents and responsible parties at a suitable location

Why? Presenting policies and practices is one thing, but the AARC Blueprint Architecture also introduced a (chain of) AAI platforms or 'proxies' that augment, translate, or otherwise munge information about users and 'sources of authority'. Both for authentication sources and for service providers, it places intermediates in the chain of trust, and the longer the chain is, the more this trust will be diluted. Transparency through documentation can help retain that trust. And at the same time make it easier for the collaboration to engage with the users regarding the AAI. If identity is not bound to the user but to the user's home organisation (employer, university), the home organisation may be reluctant to make any claims for the authentication, even for trivial ones like name and email address (the 'personalised access' attributes that are foundational for research and scholarship). Or refuse to partake in authentication at all.

Recommendation: publish your policies, but especially your contact information, in a place where users, relying parties, and home organisations can find it. If you chose a DNS-based community name, and you can resolve the domain name to point to a web site, that is a good place to present this information. And if confidentiality is needed, you may have your own AAI to help you! 

Applicable guidance: AARC-G071 (AAOPS)AARC-G083 on notice management, REFEDS Research and Scholarship, REFEDS Personalised Access

...

Scroll ImageMap
viewSize800.0
makeResponsivetrue
imgWidth1410.0
imgFilenameP3DK-arrowed-authNSources.drawio.png
areasData{"areas":[{"shapeType":"rect","coords":"713,198,130,60","title":"WISE Baseline AUP guidance","pageRefIndex":0,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1075,200,132,62","title":"WISE Baseline AUP guidancwe","pageRefIndex":0,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,285,133,66","title":"Attribute authorities and membership services guidance","pageRefIndex":1,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,119,130,66","title":"Manage your community members","pageRefIndex":2,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,370,135,66","title":"Operational Security for your services","pageRefIndex":3,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1072,368,130,71","title":"Security for your services","pageRefIndex":3,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1253,370,130,60","title":"Incident Response collaboration","pageRefIndex":4,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1226,113,164,75","title":"Service Levels and data classification","pageRefIndex":5,"linkTarget":"_blank"},{"shapeType":"rect","coords":"874,287,132,60","title":"Incident response procedure","pageRefIndex":6,"linkTarget":"_blank"},{"shapeType":"rect","coords":"872.33,375.79,137.74,62.26","title":"Sirtfi trust framework","pageRefIndex":4,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711.95,451.26,132.08,66.04","title":"Privacy (for collaborations)","pageRefIndex":7,"linkTarget":"_blank"},{"shapeType":"rect","coords":"870.44,447.48,135.85,71.7","title":"Notice Management presentation (for collaborations)","pageRefIndex":8,"linkTarget":"_blank"}]}
pageReferencesWISE AUP-!!!!!-Attribute Authority Operational Security-!!!!!-Membership Management-!!!!!-Security Operational Baseline-!!!!!-SIRTFI-!!!!!-Service Levels and Data Classification (the "IAC" or "CIA" triad)-!!!!!-Incident Response Procedure-!!!!!-REFEDS DP CoCoThe REFEDS Data Protection Code of Conduct-!!!!!-Notice Management (presentation)
imgHeight750.0
imgContainerPagePolicy Development Kit version 2
alwaysHighlightfalse
dataModelVersion3

...