#

Access & Authorization

Description 

FASRC provides a number of services including cluster computing, data storage, and virtual machines.  Each of these services all share the same FASRC authentication services.   As well FASRC works directly with PIs to create various access groups for data and services.  A number of common technical components are needed to access the different services, which are detailed below.

 

Key Features and Benefits  

FASRC maintains its own authentication services, which allows it to easily provide collaborators access to these shared services.  We are also able to maintain accounts for researchers like grad students and postdocs during their time of transition to a new institution without disruption in access.   

 

Definitions:

Active-Directory (AD):  FASRC maintains its own Windows Active Directory service in accordance with HUIT AD security practices for identity management.  All information and access on users and groups for all services is maintained in a cluster of domain controllers across all data center sites.

Virtual Private Network (VPN):  A user can run a network client (like Cisco Anyconnect) to connect to a non-local network, which updates its current network routes to effectively join the remote network.  FASRC maintains its own separate VPN infrastructure to support remote secure access to storage, VMs, and other services not available to the public network.  Separate VPN realms can also be created to further segregate users, which are commonly required when dealing with controlled or confidential data.

Two-factor (2fa): Authentication beyond just a username and password, both which are static information, is a requirement for increased security.  A two-factor token is typically registered to a device and an account, and has a short-term use (30 seconds).  All FASRC services require two-factor authentication.

 

Account Types:

User account:  Every person that wants access to FASRC services must have their own unique user account.  Each user has a unique user ID (UID) that all UNIX based data and access controls are based upon.  The FASRC user account is separate from the HUID based account.  Every user is responsible for following Harvard Information Security Policy.  The addition of all non-PI users accounts requires the sponsorship of a PI, as well all closure of user accounts is vetted with the PI.  

Course/temporary Account:  Accounts for courses (or other temporary accounts) are given an expiration upon creation, typically for the duration of the course or other required period of access.  Access to the Academic Cluster is controlled through HUIT maintained Canvas instances, and are automatically created.  Course/temporary accounts are separate from a researchers user account and cannot be re-used.

Service account: In the rare occasion an instrument or software needs a single account, we can create a service account.  These accounts will never have a home directory and are distinct from user accounts in use and creation.

Administrative Account:   Administrative accounts allow a person full control over the systems, network, software, and data, which are needed to provision and continue to maintain the suite of FASRC services. We follow the principle of least privilege access, and thus, a limited number of FASRC staff have administrative access to perform duties as needed for these services.

Lab Group:   All PIs (both faculty or non-faculty) will have a logical lab group created in AD.  Typically this is named using a standard nomenclature of pi_lab.  In FASRC, all service usage and requests are aggregated under this Lab Group.  Users may belong to and collaborate with multiple lab groups, but are tied a single primary group which sponsors them.

Access Group:  This is a group of users to control access to resources.  This can be in SLURM for computing resources, this can be for restricting access to data folders, this could be for access to VPN or database.  For data this group can be given read-access.  All changes to access groups require PI approval.

Data Use Agreements (DUA): Some data providers have extra or specific sets of restrictions upon access of the data.  FASRC maintains special access control groups for every DUA.

Portal: FASRC maintains its own portal to handle a number of the routine business operations like account creation, support requests, storage requests, search for software modules, …  

PI account:  Within the FASRC portal the PI (faculty or non-faculty PI) is the Sponsor that is responsible for approving account requests and access group changes.

Approver:  A PI can designate another research or administrative staff to be the approver for accounts

 

Service Expectations and Limits:  

At FASRC, availability, uptime, and backup schedule is provided as best effort with staff that do not have rotating 24/7/365 shifts

 

Available to: 

Available to all PIs and their group members at supported Harvard schools: https://docs.rc.fas.harvard.edu/kb/account-qualifications/

All access requests should follow the direction provided at: x

https://docs.rc.fas.harvard.edu/kb/how-do-i-get-a-research-computing-account/

 

Service manager: 

Service Manager: Maggie McFee, Associate Director of Research Computing Services

 

Offerings (Tiers of Service) 

FASRC Account (non-cluster) - No cluster login access, mainly used for access to services such as instruments or for storage-only access

FASRC Cluster Account - An account for which cluster login and job submission is also enabled

Course-specific temporary accounts - Provides temporary access for users to the cluster or other FASRC services

FAS Science Core Facilities access - Integration with core facilities Instrument Sign-up and utilization

Self-Service signup and approval - The FASRC Portal allows users and PIs access to manage some portions of their or their lab members’ access