...
The rules of participation define who has the authority to decide, and to suspend or cut-off participants, in case the 'regular' processes break down. While the initial thoughts may revolve around security incidents and who has been granted the 'power' to intervene and stop the incident, there are other times when you need that control, and that control can be both inclusive or exclusive. For example if by standard processes former employees of an organisation are removed from the groups and their roles revoked, there may be good reasons to keep a specific person 'in the collaboration' for a while longer. Why can then trigger a hardship clause in the rules of participation? And if there is no such clause, who is authorised to help? If a collaboration breaks up, or essential rules are violated, who can suspend access, and is there a process?
A hardship clause also helps to retain proper documentation for any exceptions, instead of policy being silently bypassed. Some examples are provided below.
Make sure all of them can access and understand your policies and processes, can work with you when you execute procedures for incident response, and engage with Sirtfi and security readiness exercises.
| Expand | ||
|---|---|---|
| ||
"Where the enrolment or approval process described leads to obvious injusticeandhardship due toa implementationoftheprocess being unduly hard, a time-limited and documented exception may be implemented after the explicit approval at the appropriate level of Management. "In exceptional circumstances it may be necessary for participants to take emergency action in response to some unforeseen situation which may violate some aspect of this policy for the greater good of pursuing or preserving legitimate e-Infrastructure objectives. If such a policy violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the Management commensurate with taking the emergency action promptly, and the details notified to the e-Infrastructure Security Officer at the earliest opportunity" (WLCG and EGI top-level policy) |
How does escalation fit into an AARC BPA compliant infrastructure?
The AAI is used to grant and revoke access to resources, and the decisions taken during escalation have to be effectuated in the AAI at the appropriate layer. Often that is in the collaboration platform or at the infrastructure layer.