Revised Identity and Access Management (IAM). Research Participant Portal Offers external...
28
Revised Identity and Access Management (IAM)
-
Upload
beatrix-daniel -
Category
Documents
-
view
213 -
download
0
Transcript of Revised Identity and Access Management (IAM). Research Participant Portal Offers external...
Revised Identity and Access Management (IAM)
Research Participant Portal
• Offers external stakeholdersa unique entry point for the interactions with the EuropeanCommission or Agencies in handling grant-related actions, based on
o single sign-on (ECAS) o role-based authorization
(Identity and access management – IAM)
Result: personalised services on the Portal• Access to legal entity registration, negotiation, amendments,
financial and scientific reporting, expert services (soon). • Brings homogeneity, transparency and better service integration
for grant management.
NEXT
Objectives of the role management (1/2)
• The Identity and Access Management allows us to define and/or manage changes of access rights of users of the Participant Portal.
• It gives personalised access to the different services.
• It allows flexible and quick management of access rights to the electronic tools on the Portal with high security.
• Any change in the roles of the users is saved to allow a monitoring & tracking service.
NEXT
• Unique identifier of persons: ECAS account (European Commission Authentication System).
Secure, ” single sign-on” approach :1 e-mail address = 1 person = 1 ECAS account
leads to the different grant or organisation-related actions
• Unique identifier of entities: the 9-digit PIC number.
• It requires minimum involvement by Commission staff allowing for flexibility for managing the consortium: only the top roles are approved by Commission staff (Primary Coordinator Contact and the LEAR).
NEXT
Objectives of the role management (2/2)
Scien Admin Finan
Participant B
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
FinanFinanAdminAdminScienScien
CoordinatorContact
ParticipantContacts
NamedRepresentat.
TaskManagers
TeamMembers
LEAR
AccountAdmin.
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Scien Admin Finan
Participant A
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
FinanFinanAdminAdminScienScien
A.AdminA.Admin
PaCoPaCo
1PaCoPaCo
1
Scien Admin Finan
CoCoCoCo
1
A.RepA.RepFinanFinanAdminAdminScienScien
FinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
NEXT
The current pyramid of roles
Coordinating Participant
Scien Admin Finan
Participant B
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
FinanFinanAdminAdminScienScien
CoordinatorContact
ParticipantContacts
NamedRepresentat.
TaskManagers
TeamMembers
LEAR
AccountAdmin.
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Scien Admin Finan
Participant A
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
FinanFinanAdminAdminScienScien
A.AdminA.Admin
PaCoPaCo
1PaCoPaCo
1
Scien Admin Finan
CoCoCoCo
1
A.RepA.RepFinanFinanAdminAdminScienScien
FinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
NEXT
Changes in the new version of the identity and access management
Coordinating Participant
Scien Admin Finan
Participant B
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
FinanFinanAdminAdminScienScien
CoordinatorContact
ParticipantContacts
NamedRepresentat.
TaskManagers
TeamMembers
LEAR
AccountAdmin.
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Scien Admin Finan
Participant A
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
FinanFinanAdminAdminScienScien
A.AdminA.Admin
Scien Admin Finan
Coordinating Participant
A.RepA.RepFinanFinanAdminAdminScienScien
FinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoCoCoCoCoCoCoCo
1
PaCoPaCo
1CoCoCoCo
PaCoPaCo
CoCoCoCo
PaCoPaCoPaCoPaCoPaCoPaCo
1PaCoPaCoPaCoPaCoPaCoPaCo
NEXT
More Coordinator Contacts and Participant Contacts
Scien Admin FinanScien Admin Finan Scien Admin Finan
Participant B
A.RepA.RepFinanFinanAdminAdminScienScien
LEARLEAR
1
FinanFinanAdminAdminScienScien
CoordinatorContact
ParticipantContacts
TaskManagers
TeamMembers
LEAR
AccountAdmin.
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Participant A
A.RepA.Rep
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
FinanFinanAdminAdminScienScien
A.AdminA.Admin
Coordinating Participant
A.RepA.Rep
FinanFinanAdminAdminScienScien
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
FinanFinanAdminAdminScienScien FinanFinanAdminAdminScienScien
CoCoCoCo
PaCoPaCo
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCoPaCoPaCo PaCoPaCoPaCoPaCo
NamedRepresentat.
NEXT
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.More than one Coordinator Contact and Participant Contact
Task Managers and Team Members are no longer restricted
to specific scope(s).
A.RepA.RepFinanFinanAdminAdminScienScienA.RepA.Rep A.RepA.RepFinanFinanAdminAdminScienScien FinanFinanAdminAdminScienScien
Participant B
LEARLEAR
1
CoordinatorContact
ParticipantContacts
TaskManagers
TeamMembers
LEAR
AccountAdmin.
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Coordinating Participant
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoCoCoCo
PaCoPaCo
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCoPaCoPaCo PaCoPaCoPaCoPaCo
NamedRepresentat.
NEXT
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
PaCoPaCoPaCoPaCoTask M.Task M.PaCoPaCoPaCoPaCo CoCoCoCoPaCoPaCoTask M.Task M.PaCoPaCo CoCoCoCoTask M.Task M.CoCoCoCo
Task Managers and Team Members are no longer restricted
to specific scope(s).
The roles of Named & Authorised Representatives are redistributed
CoordinatorContact
ParticipantContacts
LEAR
AccountAdmin.
Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
Coordinating Participant
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoCoCoCoCoCoCoCo CoCoCoCo
PaCoPaCo PaCoPaCoPaCoPaCo
Experts
ReviewerReviewer ReviewerReviewerReviewerReviewer
Rapport.Rapport.
NEXT
TaskManagers
TeamMembers
Participant B
LEARLEAR
1
A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
PaCoPaCo PaCoPaCoPaCoPaCo
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.
Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.The roles of Named & Authorised Representatives are redistributed
Activation of non-participant roles: Reviewer and Rapporteur
The list of roles will be changed automatically with the new IAM
XXXXXXX
XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
NEXT
View Project details
View roles in the Project
Edit Consortium
NEXT
The nomination process
“How can I give access to my colleagues?”
“How can I revoke the rights of colleagues who left the organisation?”
NEXT
“Original roles”
Some roles in the portal IAM are automatically provisioned at negotiation start :
• The Coordinator Contact identified in the proposal forms will be transfered to the Primary Coordinator Contact role in the portal IAM.
• The contact persons of the participating organisations identified in the proposal forms will be transferred to the Participant Contacts role.
• The LEAR is validated by the Commission after the validation process of his/her organisation.
NEXT
The nomination process
• Except for the Primary Coordinator Contact and the LEAR, management of roles and access rights is in the hands of the consortium.
• Users can be nominated or revoked by other users following a ”pyramid of rights”
NEXT
Let’s review the nomination/revocation process.
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
CoCoCoCo
PaCoPaCo
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
PaCoPaCo
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
CoCoCoCo
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
PaCoPaCo
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
CoCoCoCo
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
CoCoCoCo
PaCoPaCo
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
CoCoCoCo
PaCoPaCo
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
CoCoCoCo
PaCoPaCo
Only the key roles of the LEAR and Primary Coordinator Contact
are approved by the Commission.
Coordinating Participant Participant A
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin
LEARLEAR
1
A.AdminA.Admin A.AdminA.Admin A.AdminA.AdminA.AdminA.Admin
CoordinatorContacts
ParticipantContacts
LEAR
AccountAdministrator
TaskManagers
TeamMembers Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb Team MbTeam Mb
Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.Task M.
CoCoCoCo CoCoCoCo
PaCoPaCoPaCoPaCo
Proj
ect
Org
anis
ation
NEXT
CoCoCoCo
PaCoPaCo
Only the key roles of the LEAR and Primary Coordinator Contact
are defined/modified by the Commission.
XXXXXXXXX XXXXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXXXXXXXXXX XXXXXX
XXXXXXXXX XXXXXXXXXX XXXXXX
The list of roles will be changed automatically with the new IAM.These new roles may need to be
modified.
Add or revoke roles in the Project
LEARs will also see the list of proposals submitted.
NEXT
Access rights
Each person within this pyramid has different access rights according to his/her own role, and according to the state of the project.
Let’s review these rights for each role.
NEXT
• Nominate and revoke Participant Contacts, Task Managers and Team Members within their organisation;
• Read/write access to own forms;• Submit to the Coordinator Contacts;• In addition, all rights listed under the Task Managers.
• Create and update forms;• In addition, all rights listed under the Team Members.
• Read-only access
• Nominate and revoke other Coordinator Contacts;• Read/write access to own and common forms; • Submit to European Commission/Agency;• In addition, all rights listed under the Participant Contacts.
• Nominate and revoke Participant Contacts for any participating organisation.• In addition, all rights listed under the Coordinator Contacts.
Access rights: Project roles
Team MbTeam Mb
Task M.Task M.
CoCoCoCo
PaCoPaCo
NEXT
CoCoCoCo
Access rights: Organisation roles
• Access legal entity data and submit requests for change• Access the list of roles/persons representing their organisation• Access their organisation’s list of Projects and their summaries• May request to revoke users from roles within his/her organisation
LEARLEAR
1
A.AdminA.Admin
• Nominate and revoke Account Administrators within their organisation• In addition, all rights listed under the Account Administrator.
NEXT
Access rights for negotiations, amendments, reporting
• Read-only rights to all data:
• Draft, save, modify own forms:
• Draft and validate common forms:
• Submit data on behalf of the whole consortium to the Commission:
Team MbTeam MbTask M.Task M.CoCoCoCoCoCoCoCo PaCoPaCo
Task M.Task M.PaCoPaCo
CoCoCoCoCoCoCoCo
CoCoCoCo
CoCoCoCoCoCoCoCo
CoCoCoCo
• Submit own forms to coordinator: PaCoPaCoCoCoCoCoCoCoCoCo
Summary
• More flexibility (more than one CoCo and PaCo; fewer distinctions of function types) -> increased responsibility for consortia in establishing/maintaining/revoking access!
• Identity and access management should become standard part of consortium management – discuss it in kick-off meetings, mention it in consortium agreements!
• No access lost during migration, current roles are transferred automatically to new grid of roles. However, consortia might want to check after migration if arrangements are according to their needs
