4. Managing users and suppliers

Up one level

Introduction

Services may be set up so that users don't require any pre-existing agreement in order to use them, or they may require a service level agreement with the supplier. When a user tries to access a service that requires an existing Service Level Agreement (SLA) they will get a message saying something like this:

None of the known trade accounts or SLAs are suitable for this service (no
local private account service is being used). An account or SLA is required at
one of these services:

- https://management.example.com/gria-service-provider-mgt/services/SLAService

From host: apps.example.com

The user should now talk to the person in their organisation who is responsible for setting up agreements with suppliers. This guide assumes that that person is you. The topics covered here are:

1. An overview of trade accounts and service level agreements.
2. How to set these up using the GRIA client.
3. Granting other employees of your organisation access to SLAs.
4. Using a client management service to manage large numbers of trade accounts and SLAs centrally.

Trade accounts and SLAs

An SLA is an agreement between two organsiations (a client and a service provider) stating what resources will be provided and what use of the service will cost. For example, an SLA may state that:

• Up to 1 Tb of data may be uploaded per month, at 1 euro per Gb.
• Up to 30 jobs may be running at the same time, at 1 euro per CPU hour.

When a user uploads data or starts a job, they indicate which SLA they are using, and the usage is recorded against this SLA. Periodically, usage on the SLA is converted into monetary terms (according to the terms of the SLA) and recorded on your trade account.

You will need a trade account at each non-free supplier you wish to use, and at least one SLA billed to each trade account. You can then grant other people permission to use resources under the terms of the SLA.

Running the client

You should already have the GRIA client installed. If not, consult the Client Installation first. Then run the client to open the Grid resource browser:

> gridcli

The initial display will not show any resources or services unless you used the same client before to access other services:

Adding the Trade Account and SLA Service

Go to the web-site of the service provider you wish to use and follow the Adding Services guide to add their TradeAccountService and SLAService now. You should see some SLA templates listed under the SLA service. An SLA template is a set of terms that you must agree to in order to create an SLA.

Opening a trade account

Click on a trade account service (as added above) and a form appears in the resource viewing panel on the right hand side of the client :

Your new trade account will appear under the supplier's service. You can click on it and details will appear in the resource viewing panel, from here you perform actions on the trade account. Initially, the account's status will be pending-credit-checks; the account can't be used yet. Once the service provider has approved the account, its status changes to open. You can also use this dialog box to check the account statement, which will show any spending on the account:

Creating an SLA

Once your account is in the open state, you can use it to create SLAs. Click on one of the SLA templates discovered when you added the SLA service (to check for templates published after you added the service, right-click on the service and choose Discover existing resources from the menu). You will see the details of the service provider's offer:

After examining the available templates, pick the one(s) you want and click on the Propose SLA button to create an SLA. If accepted by the service provider, a new SLA resource will appear under the SLA service:

Granting access to an SLA

Click on an SLA to open the Properties dialog box. This reminds you of the details of the agreement, provides graphs showing usage, and lets you control access to the SLA:

First load the current access control rules by clicking Load Access Control Rules. This shows a list of rules that apply to the current SLA, initially this will show one rule granting you the owner role on the SLA. To grant other users access to the SLA, choose Add Rule from the menu. You will be prompted with the Access Control Wizard similar to the one used to delegate access to a Data Stager in the previous section Client User's Tutorial.

Users do not have full access to the SLA - they can use resources at other services that require an SLA but they can't close it or grant access to others, for example.

Viewing usage on an SLA

As people make use of services using the SLA, the SLA service records the usage. You can view graphs of the usage using the client:

1. Cick on the SLA to show its details in the resource viewing panel.
2. Go to the Usage tab.
3. Select the time period you wish to view, leaving the fields as the default gets usage from the start of the SLA until the current time.

You can view different metrics that the service has been keeping track of, you can view Number of Data Stagers, Number of Activities, Amount of Disc Space Used. Other services may report different metrics depending on the services they monitor.

Note that usage within the last couple of minutes may not be shown and that this view is a summary of usage, you can click on the load button to view raw usage, which gets all usage for the current metric chosen.

Client Management

Granting users access to trade accounts and SLAs individually becomes more difficult as the number of users and suppliers increases. Each time a user joins a project they must be given access to every SLA. Every time a new supplier is added, every user must be given access to it.

The solution is to run a client management service within your organisation. This service keeps track of who is a member of which projects, and which SLAs each project uses. Installation of the client management service is covered in the Client Management Service Overview. The following sections assume that the service is already installed.

It is recommended to use the Membership and Registry Service to manage users and resources, but you may wish to use the a Private Account Service which is described below Using Private Accounts but this service is deprecated and users are not advised to use it.

Creating a Membership Group

You can use the membership service to control groups of users.

1. Adding the membership service is done in the same way as adding the other services.
2. Right-click on the membership service and choose  'Create Group' from the menu. Choose a name for the group, the name should signify the privileges that users get if the are a member of this group, i.e. 'Engineers'
   

Adding Members to a Group

1. Click on the membership group
2. Go to the Access Control tab and click on Load Access Control Rules. Click the 'Add Rule' button.
3. You will be prompted with the Access Control Wizard similar to the one used to delegate access to a Data Stager in the previous section Client User's Tutorial
   
4. More members can be added in the same way.

Giving Members access to a Resource

Once you have created your membership group and added all the members to it you need to give them access to resources.

To give the users access to an SLA, drag the sla onto the membership group in the client.

Then choose a role for which you want members of this group to have for this resource.

Doing this adds a rule to the SLA's Access Control Rules which gives anyone bearing a token asserting they are a member of the group the chosen role on the sla. We can see this new rule on the Access Control tab of the SLA:

Using a Membership Group

If you have been given access to a Membership Group, then follow these steps to use it

1. Adding the membership service is done in the same way as adding the other services
2. Right click on the Membership Service and choose Discover Existing Resources. If your have been given access to a Membership Group it should appear in the client
3. Right click on the new Group and choose Set as default Group. Now when accessing services a token from this membership group will be attached to the request to authorise you.

Creating a Registry Resource

1. Adding the registry service is done in the same way as adding the other services.
2. To create a new Registry you need to have been given the 'manager' role on the Registry Service.
   
3. Click on the registry service and create a new registry resource by right-clicking the Registry Service and selecting the 'Create New Registry' option:

Adding a Resource to a Registry

1. Click on the Registry Resource in the client.
2. Click on the 'Resources' tab on the resource viewing panel.
3. Click on the 'Load Resources' button to load the current resources into the table. The table should be empty if you just created the registry.
   
4. Click on the 'Add Resource' button and choose a resource to put in the registry.

The resource should appear in the table

Using a Registry

If you have been (perhaps by your project manager) given access to a Registry then follow these steps to use it

1. Adding the registry service is done in the same way as adding the other services.
2. Right click on the Registry Service and choose Discover Existing Resources. If your have been given access to a registry it should appear in the client
3. Right click on the new Registry and choose Discover Registered Resources. This will add to the client all the resources that you have access to, if you set a default membership group then it will use a token from that group as authorisation.
4. If you right click the registry and choose Set as default registry then the registry can be used to select an appropriate SLA when creating resources on managed services.