TWiki> AtlasComputing Web>AtlasComputing>AccessProtectedInformation (2024-04-04, DarioBarberis) EditAttachPDF
AtlasDocumentation.png

Access to Protected ATLAS Information and Global Mailing Lists

Introduction

This site provides information about Information Protection in ATLAS and the way it is implemented through the eGroups mechanism. It also decsribes the way global and institute mailing lists are derived from the ATLAS Members database in Glance.

Policy

As stated by the ATLAS Collaboration Board the information policy of ATLAS is:

Information protection is the responsibility of every member of ATLAS. Everyone is responsible for complying with the rules of the experiment, which are that physics results not yet approved must not be propagated outside the Collaboration.

It's the responsibility of the ATLAS Information Protection Officer to provide tools to enable ATLAS members to easily uphold their responsibilities, and to promote an awareness of possible protection issues.

Background

ATLAS Information Protection concerns several services. It is intended to limit the access to these services to only ATLAS qualified personnel. The protection is based on two main principles:

  1. Authentication: At CERN "Authentication" is based on the Single Sign On (SSO) authentication service. To be authenticated you need to have a valid CERN account or a valid certificate.
  2. Authorization: Access to the protected information is granted to the members of an ATLAS group to which the "authorization" has been granted.

Access Groups

Unix services

All ATLAS members should have an active CERN account in the zp (ATLAS) unix group. Normally this account is created when people first register at CERN and in ATLAS. If people already have a CERN account that is associated to a different group before joining ATLAS, they will receive (only once) a reminder to ask the administrators of their old group to remove their account from it; then it will be automatically added to the zp group.

The zp unix group is synchronised with the zp egroup. A script checks periodically the zp egroup against the ATLAS Members database in Glance, adds new people and their accounts, and removes people when they leave ATLAS.

The zp group grants read access to common ATLAS areas in the CERN file systems AFS and EOS.

Global Information

Currently the following services hold protected information:

For "Detector and Upgrade" areas authorization is granted to:

  • All ATLAS active members.

All end dates of ATLAS registrations are increased by 30 days (the "grace period") to allow for contract renewal and changes of institutes. ATLAS members can access this information by being members of egroup "atlas-readaccess-active-members".

Physics Information

Currently the following services hold protected information:

For "Physics and Performance" areas authorization is granted to:

  • ATLAS members qualified to sign the ATLAS publications (ATLAS authors).
  • ATLAS members in the process of becoming an ATLAS author (who started their qualification period).
  • Physicists who joined ATLAS in the last 90 days, were not ATLAS members in the previous year, and need to search for a qualification task.
  • Physics students working for ATLAS.

All end dates of ATLAS registrations are increased by 30 days (the "grace period") to allow for contract renewal and changes of institutes. ATLAS physicists can access this information by being members of egroup "atlas-readaccess-current-physicists".

Computing Information

Currently the following services hold protected information:

For "Software and Computing" areas authorization is granted to:

  • ATLAS active members.
  • Members of external teams supporting ATLAS computing operations.

All end dates of ATLAS registrations are increased by 30 days (the "grace period") to allow for contract renewal and changes of institutes. ATLAS members can access this information by being members of egroup "atlas-readaccess-twiki-computing".

Public Information

Currently the following services hold open information:

For the "Public" areas read access is granted to everybody.

Bottom line

Most of ATLAS information is protected.

E-groups for Mailing

Global Lists

Three global egroups to be used for mailing news and other information by ATLAS management are created in parallel with the "readaccess" egroups:

  • atlas-active-members contains the same people as in atlas-readaccess-active-members, but with only one email address per person (the one derived from the Glance database)
  • atlas-current-physicists contains the same people as in atlas-readaccess-current-physicists, but with only one email address per person (the one derived from the Glance database)
  • atlas-ecsb-students contains the email addresses registered in the Glance database for all students, of all kinds, in ATLAS. People can opt out by subscribing to egroup atlas-ecsb-students-unsubscribe.
The purpose of these egroups is to allow posting to only one address per person. The "readaccess" egroups include both the address in the CERN database and the one in the Glance database, in case they differ, plus all secondary accounts associated to group zp; they can be used to grant posting rights to multiple email addresses for each person.

Institute and Country Lists

A set of egroups is built and kept synchronised with the contents of the Glance membership database:

  • atlas-inst-<country>-<institute>-active-members
  • atlas-inst-<country>-<institute>-current-physicists
  • atlas-inst-<country>-<institute>-students
where <country> is the 2-letter internet country code, and <institute> is the "institute short name" as defined in Glance (with suppressed spaces). They contain the email addresses registered in Glance. These egroups can be used to mail all members of an institute; posting rights are granted to all ATLAS members of the same country plus ATLAS management for global postings.

A corresponding set of egroups is built and kept synchronised with the contents of the Glance membership database:

  • atlas-inst-<country>-<institute>-access-active-members
  • atlas-inst-<country>-<institute>-access-current-physicists
  • atlas-inst-<country>-<institute>-access-students
They contain the email addresses registered in Glance, plus the primary accounts of all members, and their secondary accounts if they are included in the zp unix group. These egroups can be used to grant access to restricted indico and twiki areas. They should not be used for mailing, as they may contain multiple entries for each person.

The precise institute egroup names are listed in the left vertical bar of each institute's page in Glance.

In addition, container egroups are built for each country:

  • atlas-inst-<country>-all-active-members
  • atlas-inst-<country>-all-current-physicists
  • atlas-inst-<country>-all-students
  • atlas-inst-<country>-all-access-active-members
  • atlas-inst-<country>-all-access-current-physicists
  • atlas-inst-<country>-all-access-students
Each one contains the static list of all institutes in the given country. They have the same properties as the egroups they are built from.

NB: CERN and JINR are international organisations, so treated a countries as well as an institutes.

The global egroups are built from the union of the corresponding egroups for each country:

  • atlas-inst-all-all-active-members
  • atlas-inst-all-all-current-physicists
  • atlas-inst-all-all-students
  • atlas-inst-all-all-access-active-members
  • atlas-inst-all-all-access-current-physicists
  • atlas-inst-all-all-access-students
Finally, these egroups are used to populate the atlas-[readaccess-][active-members|current-physicists|students] egroups.

Technicalities

The list of authorized members is derived from the ATLAS Authdb database in Glance, also called ATLAS Members Database. The script that takes information from the Glance database and updates the egroups runs four times each day. Once the egroups are updated, it may still take several hours before all CERN services synchronise their access rights.

Within the Atlas TWiki, four webs exist in parallel, with different protection mechanisms. More information can be found in this page: AtlasTWikiProtectionMechanisms. All pages with additional protection mechanisms can be found on this (protected) page: AtlasWebProtectedPagesList

  • Atlas: Access is granted to "atlas-readaccess-active-members".
  • AtlasComputing: Access is granted to "atlas-readaccess-twiki-computing".
  • AtlasProtected: Access is granted to "atlas-readaccess-current-physicists".
  • AtlasPublic: is not protected.

ATLAS Members Database

Access to the information stored in the ATLAS Authorship database is available through the Glance web interface.

The technical description of the contents of the ATLAS Authorship database is given in the document ATLAS author list database implementation..

Information about your accounts at CERN is available here:

You can check to which groups you belong in using the:

Who else can access the protected information?

Access rights have been granted to some people who don't pass the above criteria. For example one can mention ATLAS collaborators who formally retired but did not leave the collaboration and are still involved in analysis or other activities. A list of such people is maintained by the Spokesperson together with the Chair of the Physics Office. These people are members of an "exceptions" group. For being in this group a request has to be sent to the Spokesperson.

In addition read access to several non-Physics Indico and twiki pages is granted to non-ATLAS members working with the collaboration. "External" groups have been created:

  • ATLAS External Computing (a-e-c).
  • ATLAS External Technical (a-e-t).
  • ATLAS External Operation (a-e-o).

To be member of one of these groups send a mail to: atlas.info-protection@cernNOSPAMNOSPAMPLEASE.ch. The request will have to be approved by the relevant activity coordinator.

CERN staff who provide technical help for ATLAS are listed in egroup atlas-active-members-exceptions-cern, maintained by the CERN ATLAS Team Leader. This egroup is included in atlas-[readaccess-]active-members.

Information Protection Officer (IPO)

The mandate as defined by the Collaboration Board is here. The Information Protection Officer was Gilbert Poulard till October 2011 and is Dario Barberis since November 2011.

Major updates:
-- NirAmram - 09 Sep 2008 -- GilbertPoulard - 08 Apr 2009 -- GilbertPoulard - 03 Mar 2010 -- DarioBarberis - 2018-11-01 -- DarioBarberis - 2023-12-13 -- DarioBarberis - 2024-03-20

Responsible: DarioBarberis
Last reviewed by: DarioBarberis - 2024-03-20

Attachments Attachments
Topic attachments
I Attachment History Action Size Date Who Comment
PDFpdf IPO-MANDATE.pdf r1 manage 55.7 K 2008-09-18 - 15:58 GilbertPoulard Mandate of the ATLAS Information Protection Officer
Edit | Attach | Watch | Print version | History: r61 < r60 < r59 < r58 < r57 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r61 - 2024-04-04 - DarioBarberis
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Atlas All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback