VOMS User Expiry

This page is an attempt to explain the membership expiration behaviour of VOMS admin. The base document is aimed at the current EMI-2 release of VOMS admin (2.7.0-1), but (hopefully) will be updated with changes for newer versions in the future.

It's a work in progress.

User Expiry

VOMS uses two different means of keeping VO membership information up-to-date:

• Users are required to sign the VO AUP.
• VO admins are require to extend the VO membership of the users.

If either case is not handled correctly then the user gets suspended.

The reasoning behind membership expiration is to force VO admins to keep the user list in their VO up-to-date. In the past the memberships of VOs have rarely been updated. Many VO admins have added new users but have failed to remove users that had left the VO. For big VOs, it is a hard, if not impossible task for VO admins to keep track of all users and the membership expiration is aimed at helping them with this task.

AUP Signing

AUP signing is a mostly user driven process, a user has to sign the AUP of the VO once a year (by default, can be changed by VO admins). In doing so the user states that he is still willing to adhere to the AUP and that he has the right to be a member of the VO (e.g. by still being a member of the project associated with the VO). The membership of users who fail to sign the AUP is suspended, but they can re-activate it by signing the AUP. Users are notified when they have to re-sign the AUP (see AUP notifications). VO admins are not directly involved in the reoccurring signing of AUPs apart from having to go through the same process because they are VO members as well.

VO admins are notified when a user is suspended (see Suspension notifications). They do not have to take any action at this stage, but should consider contacting users that have not signed the AUP in a long time and to remove them from the VO if possible.

Another aspect of AUP signing is the handling of AUPs. VO admins can update the AUP of the VO. When they activate a new AUP then all users have to sign it. VO admins can force a single or all users to sign the current AUP again if they wish.

Membership Expiration

VO membership expiration is handled by the VO admins. Users are not involved or affected unless they get suspended because the VO admins did not extend the membership. The membership of every user expires one year (by default, can be changed by the server admin if requested by the VO manager) after the last membership extension. The VO admins are notified which users are expired or are about to expire (see Membership Expiry Notifications).