Pilot
This is still in Pilot phase. Please contact us via the SURF Service Desk for more information.
Introduction
SURF Research Access Management (SRAM) facilitates cross-institution collaboration and enables secure access to research resources and services. A collaboration (CO) within SRAM links researchers to services and determines who can access what. People can be invited to a collaboration via SRAM. Groups within a collaboration can be used for authorization in the services.
Within SRAM, the Research Drive service can be linked. When this service is linked to the Collaboration (CO), the CO groups will be created on Research Drive.
Note that the groups are not created on all Research Drive environments, only on the Research Drive environments where the members of the group belong.
Required
The following steps need to be in place in SRAM before you can start testing:
- Create a collaboration or be part of a collaboration in SRAM
- Link "SURF Research Drive Production" as a service to the CO (See above screenshot). You can ask the CO admin for this.
- Add users to the collaboration and make groups
Also, the federated group sharing app must be enabled at the Research Drive instance of the institutes. This is enabled for institutes that join the pilot.
Pilot phase
Currently the SRAM integration is enabled for the Research Drive environments of following institutes:
- Universiteit van Amsterdam
- Hogeschool van Amsterdam
- Vrije Universiteit Amsterdam
- KNAW
- Hogeschool Utrecht
If your branded environment is not listed here, you can use the integration too, but you will be invited for an account on the SURF Research Drive Community edition.
Operation
In SRAM, all users are in one database, where on Research Drive the users are spread over multiple different Research Drive environments.
For example, a user from the University of Amsterdam has an account on the UvA Research Drive environment. Where the user of the Vrije Universiteit Amsterdam has an account on the VU Research Drive environment.
Users not affiliated with an institution for which a Research Drive environment is available will have an account on the SURF Community Research Drive environment.
The SURF Community Research Drive environment will also be used for users for whom their Research Drive environment does not have SRAM integration enabled.
A collaboration in SRAM contains users from different organizations. When a group is created in the collaboration and users are added to that group, this following happens in Research Drive.
SRAM groups will be created on the Research Drive environments of those users. Based on the institutional username, we determine the Research Drive environment the users belong to. When there is no matching Research Drive environment found (for EduID accounts or users from an institute without a Research Drive instance), for the duration of this pilot, the user will be forwarded to the Research Drive Community Edition of SURF which is also available for external users.
If the user exists in that Research Drive environment, it will be then added to the group. If the user does not exist, a new user account will be created in that Research Drive environment and will then be added to the group.
Example scenario
In the following example, we have the Collaboration (CO) `Project Light Bulb`. Within this CO we create the group `Researchers`.
Attached to this are the users Humphry.Davy@uva.nl, Thomas.Edison@vu.nl and Gerard.Philips@philips.nl. The Research Drive service will be linked to this CO.
For the users of affiliated educational institutions, their Research Drive environment is taken as the home base for the group.
For the external user (in this case Philips), no education login environment is available. Those users can create an account on eduID.nl and login via this Public Identity Provider.
Where there is no dedicated branded Research Drive environment for external user, they will start using the SURF Community Research Drive environment.
Note
The SURF Research Drive Community Edition will also be used for users for whom their Research Drive environment does not have SRAM integration enabled in this Pilot phase.
After the pilot, the user accounts created on the community edition will be cleared.
On all involved Research Drive environments, the group will now be created. The group will contain the local user of the environment as well the (federated) users from the other Research Drive environments.
This allows the users on their Research Drive environment to share data directly with this group instead of multiple user shares. The users continue to work on their own Research Drive environment, with the possibility to share data with a groups that contain users from other Research Drive environments.
In the example above, on the UvA environment the group `Researchers` will be available. This group includes the local user Humphry.Davy@uva.nl and the federated users Thomas.Edison@vu.nl@VU ResearchDrive Environment and Gerard.Philips@philips.nl@SURF Community Edition. Within their Research Drive environment, they can now share directly with this group.
Modifying an existing group
When modifying a group, shares already created with the group will continue to exist.
In the background, new users will automatically gain access to the data shared with this group. Users removed from the group losing access.
The data itself will not be manipulated.
Collaborative groups cannot be modified within Research Drive. Creation, modification or deletion of these collaborative groups can only be done through SRAM.
Deleting a group
When deleting the group in SRAM, it will also be deleted on the involved Research Drive environments.
The shares which were previously created, will be disappear. The data and users will not be deleted.
Background information
Some time may pass between creating a group on SRAM and it becoming available on the Research Drive environments. This is due to the logic in between.
So a slightly more technical description may be enlightening about how this integration works.
Where as within SRAM all users live within one environment, for Research Drive they must be split across several environments. So called branded Research Drive environments.
For this purpose, the domain of the user account is taken as the starting point. Based on this domain, the desired Research Drive environment will be determined by the Research Drive Middleware.
The middleware ensures that the user will be provisioned on the determined Research Drive environment if they do not have an account yet.
Then the group will be created, containing the local account, as well the accounts from other involved Research Drive environments.
The user is then able to share with the collaboration on their own Research Drive environment. The others will receive a share on their own Research Drive environment.
