Slávek Licehammer & Pavel BřoušekCESNET
GN4-3 project team
Jan PavlíčekCESNETDeveloper, TIM student
Pavel BřoušekCESNETMentor



Slávek LicehammerCESNETStakeholder

Activity overview


The primary goal of the Authentication and Authorization Infrastructure (AAI) is to provide centralized authentication and authorization mechanisms. In an environment based on the AAI, one of such authorization rules might be fulfilling the policy requirements, set i.e. in an AUP document defined by the community, service provider, or organizational unit. In general, when the resource owner or provider decides that a specific policy has to be enforced when the resource is used, AAI needs to provide a mechanism for both sides to manage and fulfill this requirement. These rules need to cover several cases, i.e. a situation of actively using the resource (i.e. web-based service login), as well as just-in-case scenarios, like the data provisioning.

Activity goals

This topic aims to explore the area of enforcing acceptance of Acceptable Use Policies as an activity of managing access to resources. We like to understand which parties (e.g. user communities, e-infrastructures, resource owners, …) need to be involved in the process and how to combine their requirements together. Based on the analysis we will develop a web-based application which will provide tools to manage AUPs on a central level (within the AAI) and let users approve (whilst recording this act) such a policy document.

Activity Details

Technical details

The outcome should be a web application consisting of several modules. The first part will provide tools for resource owners to define the policies. The second module will serve users for approving the policy requirements. Another module will act as an integration point of this component into the AAI environment, i.e. by providing an API to query whether the policy authorization requirements have been satisfied.

Business case

From the resource owner's point of view, they need to have tools to set up policy enforcement. On the other end of the process, a user using the resource needs to be able to mark the fulfillment of such a requirement, i.e. by making a claim of accepting the AUP document contents and promising to follow the rules described in the document.

  • application is not finished in time
  • application cannot be integrated with a popular identity management system

Data protection & Privacy

There is almost no user data directly handled by the application. Authentication will be abstracted by OIDC, only user identifier (OIDC sub claim) will be handled.

Definition of Done (DoD)
  • web app allows management (creation and editing) of AUP texts
  • API provides a way to retrieve and approve AUPs
  • user- or admin-facing parts are internationalized
  • app is integrated with at least one identity management system


The final product will be tested as a part of the Life Sciences AAI (LS AAI), utilising the Proxy Identity Provider (SaToSa) and the Identity Management System (Perun) as the integration points.

Activity Results





July 20, 2022

Kickoff meeting

Niels van Dijk
October 25, 2022Public demoNiels van Dijk
December 15, 2022Final demoNiels van Dijk

  • No labels