IAM for IRIS
Last updated: 20th May, 2021
The IAM (Identity and Access Manager) provides an Authentication and Authorization Infrastructure (AAI) solution to IRIS. The IAM acts as a proxy service, allowing IRIS collaborators access to other IRIS services.
What is IRIS?
STFC supports a diverse set of Science Activities. These activities require a substantial “eInfrastructure” to manage, preserve, analyse and simulate theiruch eInfrastructure includes both the physical infrastructure (HPC and HTC computing resource, disk and tape storage), and the software infrastructure needed to enable the data to be processed. IRIS is the co-ordinating body for the provision of this eInfrastructure and is a collaboration between STFC, its eInfrastructure Providers and representatives from the Science Activities themselves. More details of what IRIS is (and indeed what it isn’t) can be found in the IRIS what is IRIS? section and in the IRIS-FAQ.
For help with registering to use the IRIS IAM, please visit our help page here.
For IAM Issues and Technical Support:
Please e-mail us at email@example.com, with subject line "ATTN: IAM Support Issues".
For Security Concerns:
Please e-mail us at firstname.lastname@example.org, with subject line "ATTN: Security Concerns".
For General Enquiries:
Please e-mail us at email@example.com, with subject line "ATTN: General Enquiries".
Contact us by mail:
IRIS IAM Privacy Notice
This notice, the IRIS IAM Privacy Notice, is effective from 4th March, 2021.
The UK e-Infrastructure for Research and Innovation for STFC (“IRIS”) is a body of peer participant organisations co-ordinated for the purpose of sharing IT resources and services to further the science goals and missions supported by those organisations. The IAM (Identity and Access Manager) provides an Authentication and Authorization Infrastructure (AAI) solution to IRIS. The IAM acts as a proxy service, allowing IRIS collaborators access to other IRIS services.
IRIS considers it important to process only such personal data as is required for the proper functioning of IRIS services. The personal data detailed below is collected for the purposes of identification, authentication, authorisation, access control, accounting, billing, resource management and information security. The legal basis for processing this data is for the purposes of the legitimate interests pursued by IRIS and the science communities that IRIS supports in order to provide IT services to its users.
What personal data is collected from you and why?
When you register with IRIS IAM to use IRIS services, the following data may be collected and associated with your account:
- Personal Name
- Professional email address
- Employing institute
- Science community affiliation and validity dates
- Science community groups and roles
- Professional address and telephone number
- A non-reassigned, unique personal identifier - for example, the Subject Distinguished Name (DN) from your personal certificate
This data is necessary for security and accounting purposes to uniquely and properly identify and authenticate you when creating an account for subsequently accessing IRIS services.
When you access IRIS services, log records of your access to and actions on IRIS resources are created. These records may contain:
- your unique identifier (as described in 1, above)
- your science community group(s) and role(s)
- the network (IP) address from which you access the services
- the date and time of access
- details of actions you perform
In combination with the registration data above, these log records are necessary to meet the reliability and security requirements of IRIS services and for resource management purposes. This includes authentication, authorisation, accounting, security incident handling, assisting in the analysis of reported problems and for contacting you if a problem is identified with your account.
For how long will your Personal Data be kept?
Access logs and accounting records are kept for up to 18 months before being anonymised or deleted. UIRIS will keep your user registration data for as long as you remain a registered member of your Science Community plus the maximum accounting record retention period. In order to enable IRIS to support the user employment life cycle, e.g. to confirm your identity when you return after a period of absence, and unless you explicitly request otherwise, IRIS may keep your registration data for up to 36 months after you leave.
How your personal data is protected
The IRIS IAM is committed to following the REFEDS Data Protection Code of Conduct. Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy. Your personal data is protected against unauthorised disclosure, modification or deletion, by technical and organisational measures, including during transfer as described below.
Who has access to your personal data?
IRIS IAM will make your personal data accessible only to those authorised by IRIS, and only for the purposes described above.
To whom do we transfer your data?
Your personal data may be transferred only to the following parties, and only as far as is necessary to provide the IRIS services that you make use of:
- IRIS participants where necessary for the provisioning, operation and security of IRIS services
- trusted third parties for the purposes of security incident response
Other transfers are not allowed except where legally required.
What rights do you have related to our processing of your personal data?
You have the right to access a copy of the personal data we hold about you and you may request that we:
- rectify them if inaccurate
- cease their processing
- delete them.
If your request is not admissible, we will write to tell you of this including the reasons why. Changes to or removal of personal data may limit your access to IRIS services. Please make your request using the contact details given below.
What legal basis do we use for processing your personal data?
We use legitimate interest as the legal basis for processing data as it is reasonable to expect that we process such data for the purpose of providing you with IRIS services in a safe and secure manner.
Who to contact if you have a query about this privacy notice?
How to complain to a supervisory authority.
Details of the UKRI Data Protection Officer and your right to raise issues with the UK Information Commissioner’s Office are available at: https://www.ukri.org/about-us/privacy-notice/. The applicable jurisdiction for IRIS IAM is the United Kingdom of Great Britain and Northern Ireland (GB-UKM).
This work, the “IRIS Privacy Notice” by the IRIS Policy Team on behalf of UKRI-STFC, is licensed under a CC BY-NC-SA 4.0 license. Other Sources/Attribution/Acknowledgements: The authors acknowledge input from the WLCG and EGI security policy groups.