Dorian maintains a user account for each user that it issues credentials to. Dorian maintains four types of information for each user account it maintains:
User Attributes are information about a user that help identity them, these attributes are used by administrators for administrating accounts. Below is a list of the user attributes maintained by Dorian.
| Grid Identity
|| A globally unique identifier for the user, this identity is used by services and other parties for identifying the user.
| Identity Provider
|| The identity provider in the federation in which the user belongs to.
| Local User Id
|| The users unique identity within the identity provider they belong to.
| First Name
|| The user's first name.
| Last Name
|| The user's last name.
| The user's email address.
| User Status
|| The status of a user's account.
The Local User Id, First Name, Last Name, and Email address attributes are provided by the user's identity provider in the SAML Assertion issued when the user request PKI user credentials. Each time the user requests a certificate Dorian will check these attribute to make sure they have not changed. If the first name, last name, or email address attributes have changed, Dorian will update the users account to reflect this change.
A user's Grid Identity is a globally unique identifier that services, applications, and other users use for unqiuely identifiying the user. A user's Grid Identity is composed of (1) Dorian's CA Subject , (2) the name of their Identity Provider, and (3) their local user id withing their Identity Provider. For example suppose a user from Ohio State University with the local User Id jdoe has an account on the Dorian with the certificate authority subject, O=caBIG,OU=caGrid,OU=Training,CN=caGrid Training CA, their Grid Identity would be:
/O=caBIG/OU=caGrid/OU=Training/DN=Ohio State University/CN=jdoe
The User Status attribute represents the status of a user's account. A user's account status is maintained by Dorian administrators, the following is a list of account status's supported by Dorian:
- Active - The user's account is active, they may request both user and host credentials.
- Suspended - The user's account is suspended, all active user and host credentials have been revoked until the account status becomes Active.
- Pending - The user has tried to request a credential however the account has not been activated by administrator. (See Account Creation for more details)
- Rejected - The request for a user account was rejected by an administrator.
When a user requests PKI user credentials (Login Into Dorian) from Dorian to authenticate with web/grid services, Dorian issues them a short term certificate. After the certificate expires the user must log back into Dorian to request another certificate. This is similar to a session with a website, where you can log in but after a period of time you must log back in. Likewise if a user wishes to authenticate with web/grid services from multiple machines, these must login into Dorian from each machine. Each time a user logins into Dorian, Dorian issues them a user certificate. Dorian maintains a list of all the user certificates it has issued for each user, this list is associated with the users account. Administrators of Dorian can browse these certificates and revoke individual certificates if they wish, this is important if a certificate was used to digitally sign a document and in some point in the future it is determined that the certificate was compromised at the time the document was signed. Additional information on managing user certificates can be found in the Managing Grid User Accounts Guide.
In order to establish a secure communication mechanism and to authenticate with other services, Web/Grid services need to have PKI credentials. Dorian provides the ability to issue host certificates to users, such that they may operate Grid services. Dorian will only issue host certificates to users that have accounts with Dorian. Host certificates that are issued by Dorian are bound to a specific user account. The user that the host certificate is bound to is referred to as the owner of the host certificate. The account status of a host certificates owner effect the status of the host certificate. If the owner account is suspended, the host certificate will be suspended. If the owner account is removed, the host certificate will be compromised. The owner of a host certificate can be reassigned by a Dorian administrator. For more information on host certificates please consult the Managing Grid User Accounts Guide.
For security purposes and to give administrators insight on a user's account, Dorian maintains a list of auditing information for each user account. The following is a list of auditing information maintained for each user account:
| Audit Information
|| Documents when the account was first created.
|| Documents when the account was removed.
|| Documents when the user account was updated.
|| Documents when the user was granted administrative access to Dorian.
|| Documents when the user was revoked administrative access to Dorian.
|| Documents when a user was denied access to Dorian.
|| Documents when a user was able to successfully obtain PKI user credentials.
||Documents when a user FAILED to obtain PKI user credentials.|
For more information on user account auditing please consult the Managing Grid User Accounts Guide.