4. Managing users and suppliers

Up one level

Introduction

Services may be set up so that users don't require any pre-existing agreement in order to use them, or they may require a service level agreement with the supplier. When a user tries to access a service that requires an existing Service Level Agreement (SLA) they will get a message saying something like this:

None of the known trade accounts or SLAs are suitable for this service (no
local private account service is being used). An account or SLA is required at
one of these services:

- https://management.example.com/gria-service-provider-mgt/services/SLAService

From host: apps.example.com

The user should now talk to the person in their organisation who is responsible for setting up agreements with suppliers. This guide assumes that that person is you. The topics covered here are:

1. An overview of trade accounts and service level agreements.
2. How to set these up using the GRIA client.
3. Granting other employees of your organisation access to SLAs.
4. Using a client management service to manage large numbers of trade accounts and SLAs centrally.

Trade accounts and SLAs

An SLA is an agreement between two organsiations (a client and a service provider) stating what resources will be provided and what use of the service will cost. For example, an SLA may state that:

• Up to 1 Tb of data may be uploaded per month, at 1 euro per Gb.
• Up to 30 jobs may be running at the same time, at 1 euro per CPU hour.

When a user uploads data or starts a job, they indicate which SLA they are using, and the usage is recorded against this SLA. Periodically, usage on the SLA is converted into monetary terms (according to the terms of the SLA) and recorded on your trade account.

You will need a trade account at each non-free supplier you wish to use, and at least one SLA billed to each trade account. You can then grant other people permission to use resources under the terms of the SLA.

Running the client

You should already have the GRIA client installed. If not, consult the Client Installation first. Then run the client to open the Grid resource browser:

> gridcli

The initial display will not show any resources or services unless you used the same client before to access other services:

Adding the Trade Account and SLA Service

Go to the web-site of the service provider you wish to use and follow the Adding Services guide to add their TradeAccountService and SLAService now. You should see some SLA templates listed under the SLA service. An SLA template is a set of terms that you must agree to in order to create an SLA.

Opening a trade account

Click on a trade account service (as added above) and a form appears in the resource viewing panel on the right hand side of the client :

Your new trade account will appear under the supplier's service. You can click on it and details will appear in the resource viewing panel, from here you perform actions on the trade account. Initially, the account's status will be pending-credit-checks; the account can't be used yet. Once the service provider has approved the account, its status changes to open. You can also use this dialog box to check the account statement, which will show any spending on the account:

Creating an SLA

Once your account is in the open state, you can use it to create SLAs. Click on one of the SLA templates discovered when you added the SLA service (to check for templates published after you added the service, right-click on the service and choose Discover existing resources from the menu). You will see the details of the service provider's offer:

After examining the available templates, pick the one(s) you want and click on the Propose SLA button to create an SLA. If accepted by the service provider, a new SLA resource will appear under the SLA service:

Granting access to an SLA

Click on an SLA to open the Properties dialog box. This reminds you of the details of the agreement, provides graphs showing usage, and lets you control access to the SLA:

First load the current access control rules by clicking Load Access Control Rules. This shows a list of rules that apply to the current SLA, initially this will show one rule granting you the owner role on the SLA. To grant other users access to the SLA, choose Add Rule from the menu. You will be prompted with the Access Control Wizard similar to the one used to delegate access to a Data Stager in the previous section Client User's Tutorial.

Users do not have full access to the SLA - they can use resources at other services that require an SLA but they can't close it or grant access to others, for example.

Viewing usage on an SLA

As people make use of services using the SLA, the SLA service records the usage. You can view graphs of the usage using the client:

1. Cick on the SLA to show its details in the resource viewing panel.
2. Go to the Usage tab.
3. Select the time period you wish to view, leaving the fields as the default gets usage from the start of the SLA until the current time.

You can view different metrics that the service has been keeping track of, you can view Number of Data Stagers, Number of Activities, Amount of Disc Space Used. Other services may report different metrics depending on the services they monitor.

Note that usage within the last couple of minutes may not be shown and that this view is a summary of usage, you can click on the load button to view raw usage, which gets all usage for the current metric choosen.

Client Management

Granting users access to trade accounts and SLAs individually becomes more difficult as the number of users and suppliers increases. Each time a user joins a project they must be given access to every SLA. Every time a new supplier is added, every user must be given access to it.

The solution is to run a client management service within your organisation. This service keeps track of who is a member of which projects, and which SLAs each project uses. Installation of the client management service is covered in the Client Management Service Overview. The following sections assume that the service is already installed.

It is recommended to use the Membership and Registry Service to manage users and resources, but you may wish to use the a Private Account Service which is described below Using Private Accounts but this service is deprecated and users are not advised to use it.

Creating a Membership Group

You can use the membership service to control groups of users.

1. Adding the membership service is done in the same way as adding the other services.
2. Right-click on the membership service and choose  'Create Group' from the menu. Choose a name for the group, the name should signify the privileges that users get if the are a member of this group, i.e. 'Engineers'
   

Adding Members to a Group

1. Click on the membership group
2. Go to the Access Control tab and click on Load Access Control Rules. Click the 'Add Rule' button.
3. You will be prompted with the Access Control Wizard similar to the one used to delegate access to a Data Stager in the previous section Client User's Tutorial
   
4. More members can be added in the same way.

Giving Members access to a Resource

Once you have created your membership group and added all the members to it you need to give them access to resources.

To give the users access to an SLA, drag the sla onto the membership group in the client.

Then choose a role for which you want members of this group to have for this resource.

Doing this adds a rule to the SLA's Access Control Rules which gives anyone bearing a token asserting they are a member of the group the choosen role on the sla. We can see this new rule on the Access Control tab of the SLA:

Using a Membership Group

If you have been given access to a Membership Group, then follow these steps to use it

1. Adding the membership service is done in the same way as adding the other services
2. Right click on the Membership Service and choose Discover Existing Resources. If your have been given access to a Membership Group it should appear in the client
3. Right click on the new Group and choose Set as default Group. Now when accessing services a token from this membership group with be attached to the request to authorise you.

Creating a Registry Resource

1. Adding the registry service is done in the same way as adding the other services.
2. To create a new Registry you need to have been given the 'manager' role on the Registry Service.
   
3. Click on the registry service and create a new registry resource by right-clicking the Registry Service and selecting the 'Create New Registry' option:

Adding a Resource to a Registry

1. Click on the Registry Resource in the client.
2. Click on the 'Resources' tab on the resource viewing panel.
3. Click on the 'Load Resources' button to load the current resources into the table. The table should be empty if you just created the registry.
   
4. Click on the 'Add Resource' button and choose a resource to put in the registry.

The resource should appear in the table

Using a Registry

If you have been (perhaps by your project manager) given access to a Registry then follow these steps to use it

1. Adding the registry service is done in the same way as adding the other services.
2. Right click on the Registry Service and choose Discover Existing Resources. If your have been given access to a registry it should appear in the client
3. Right click on the new Registry and choose Discover Registered Resources. This will add to the client all the resources that you have access to, if you set a default membership group then it will use a token from that group as authorisation.
4. If you right click the registry and choose Set as default registry then the registry can be used to select an appropriate SLA when creating resources on managed services.
   

Private accounts (Deprecated)

The Private Account Service has been deprecated and you are advised to use the Membership Service and Registry Service for this functionality.

Granting users access to trade accounts and SLAs individually becomes more difficult as the number of users and suppliers increases. Each time a user joins a project they must be given access to every SLA. Every time a new supplier is added, every user must be given access to it.

The solution is to run a client management service within your organisation. This service keeps track of who is a member of which projects, and which SLAs each project uses. Installation of the client management service is covered in the GRIA Client Management Installation. The following sections assume that the service is already installed.

Opening a private account

Once your IT department has installed the client management services you can create new projects using the private account service.

1. Adding the private account service is done in the same way as adding the other services.
2. Click on the private account service to show a open private account form in the resource viewing panel:

You do not need to specify credit details when opening a private account, and the account starts in the open state, without needing to be approved. Since only managers are allowed to open new private accounts, the service administrator must have granted you access. If you get a permission denied error, then ask the private account service's administrator to add you to the service's access control list. Consult the GRIA services documentation for details on this process.

Adding a supplier relationship to a private account

You can add both supplier trade accounts and SLAs to a project account. Anyone you make a member of the project can use the project's trade accounts and SLAs with the "user" role:

• If you add a trade account then members of the project will be able to use the trade account to create new SLAs themselves.
• If you add SLAs to the project then members of the project can use the SLAs to create jobs and data, but cannot create new SLAs.

To add a trade account or SLA as a supplier for the project (private account):

1. Click on the private account.
2. Choose the Supplier Resources tab.
3. Click Load Suppliers to view the current suppliers. If you just opened the account the table should be empty.
   
4. Click on Add Supplier.
5. Choose the resource to add.

Repeat this process to add trade accounts and SLAs at other suppliers in the same way:

Note: If you get the error:

Sorry, the operation addBudgetHolderRule is not available at the moment while the reosurce is on the state 'pending-credit-checks'

Then this means that the trade account has not yet been approved.

The client will contact the private account service to get the service's X.509 certificate. Then, it will contact the trade account and update its access policy to grant the private account service the budget-holder process role. This allows the private account service to access this account on your behalf. Finally, the client software contacts the private account service and adds the supplier to it.

When the private account service is asked to add a new supplier, it will contact the trade account service and update its policy to grant anyone bearing a particular SAML token the user role if the token is signed by the private account service. It can change the policy in this way because the client has just granted it the budget-holder role.

You can see the access control rules for the trade account by choosing the Access Control tab from the menu: it will now contain an entry for the private account service, as well as for yourself. If you choose the Access Control tab on the trade account then you will find a single rule allowing anyone authorised by the private account service permission, it will show

Attribute: can-charge-to-private-account = #resource-id of private account#.

A similar process is followed when adding an SLA to a project.

Adding project members

Now that the trade accounts and SLAs are listed as suppliers of the client account, it is not necessary to modify their access control policies individually. Instead, you can add a user to the project:

1. Click on the project (private account).
2. Choose the Access Control tab, and click Load Access Control Rules.
3. Click on Add Rule.
4. Then you must add users to the Private Account by giving them the user role. Adding users is done in a similar way to Adding Users to an SLA

Giving a user access to the project account does not change the access control policies at the remote trade account or SLA services. Instead, it gives the user the ability to get SAML tokens from the private account service. These tokens can then be passed to remote services to prove that the user may use the remote resource.

After making someone a member of the project you should tell them to add the private account service to their client (if they don't have it already) and use Discover existing resources to find the account of which they are now a member. The client must right-click on the account and choose Set default private account from the menu.

Whenever they need an account or SLA, their client will contact this service to find the required resource and a security token letting them use it.

Checking usage on trade and private accounts

Once some users have used an account (see the user's tutorial for details), you can check the usage by clicking on an account and selecting the Aggregated Statement tab. If you do this on a trade account, you will see only spending on that trade account at that service provider. If you use a project's private account, you will see all spending on that project, aggregated across all supplier trade accounts.

Note: in the current version of GRIA there is no way to see usage on supplier SLAs that are linked to a private account. For this reason it is best not to link both SLA and trade accounts to a single project account. Instead, try using a second (dummy) project account to control access to your SLAs (i.e. using it as a token service only), and monitor usage only through the real private account by checking monetary charges there.