BNL GUMS setup for ATLAS VO groups and role

ATLAS VO structure

• /atlas - Root group for the ATLAS VO, includes everybody.
• /atlas/lcg1 - Includes all ATLAS members.
• /atlas/usatlas - Includes all USATLAS members.
• /atlas/usatlas/Role=production - Includes all USATLAS members that are going to manage data production.
• /atlas/usatlas/Role=software - Includes all USATLAS members that are going to perform software install/remove and debug.

GUMS setup at BNL

We use a pool of accounts (gridxxxx) and groups for each Virtual Organization. When a new DN appears in any VO, GUMS permanently assigns an account to that DN, and changes the primary group to the specific group for that VO. For example, 'atlas' for ATLAS, 'ivdgl' for iVDGL. You can browse the LDAP server to check which group is assigned to which VO (you can use the LDAP browser at http://www-unix.mcs.anl.gov/~gawor/ldap/demo.html).

ATLAS members are assigned the 'gridgr07' primary group. USATLAS members are also assigned the secondary group 'usatlas'. One can distinguish members of ATLAS and USATLAS in that way.

There are the following cases:

• If a USATLAS member comes in with a production role, he is mapped to the 'usatlas1' account
• If a USATLAS member comes in with a software role, he is mapped to the 'usatlas2' account
• If a USATLAS member comes in with no role, he is given his account from the pool, with 'atlas' as primary group and 'usatlas' as secondary group
• If an ATLAS members (who is not a USATLAS member) comes in, he is given his account from the pool, with 'atlas' as primary group, and no secondary group
• If someone from another VO comes in, he is given is account from the pool, with the primary group associated with his VO