diff --git a/docs/policy/comanage-instructions-admin.md b/docs/operations/comanage.md similarity index 73% rename from docs/policy/comanage-instructions-admin.md rename to docs/operations/comanage.md index a6aaa4303..f95f9fa19 100644 --- a/docs/policy/comanage-instructions-admin.md +++ b/docs/operations/comanage.md @@ -1,15 +1,18 @@ -Approving COManage Registrations -================================ +COManage Operations +==================== OSG is using a new identity management system called COManage. This system is used for managing contact information for OSPool and PATh Facility users, Topology site contacts, and OSG/PATh staff. -User registrations must be manually approved by a COManage admin. -Follow the instructions below to approve a user registration. +Contact Registration +-------------------- + +Contact registrations must be manually approved by a COManage admin. +Follow the instructions below to approve a contact registration. !!! note - This page is for COManage Admins who want to approve user registrations. + This page is for COManage Admins who want to approve contact registrations. If you are a user who wants to register with COManage, go to the [Registering for the OSG COManage](https://osg-htc.org/docs/common/contact-registration) page instead. @@ -56,6 +59,29 @@ Follow the instructions below to approve a user registration. 1. The user will get an email saying "Petition for changed status from Pending Approval to Approved". +Revoking AP login access +------------------------ + +Login access to AP1 (PATh Facility) and AP40 (OSPool) is controlled by membership to COManage groups. +To revoke a user's login access to either of these APs, perform the following steps: + +1. Find the corresponding user in [COManage](https://registry.cilogon.org/registry/co_dashboards/search?q=&co=7) and + revoke access to all OSG services or just the relevant AP: + + 1. If you are revoking access to all OSG services, set the user's CO Person status to `Suspended` + + 1. If you only need to revoke access to AP1 or AP40, remove the user from the `ap1-login` or `ap40-login` group, + respectively + +1. Note the `OSG Username` identifier of the user + +1. On the AP host(s) where you are revoking access, clear the SSSD cache as root: + + :::console + root@ap-host # sss_cache -u + + Replacing `` with the `OSG Username` identifier that you noted in step (2) + Troubleshooting --------------- diff --git a/docs/policy/software-support.md b/docs/policy/software-support.md index 5ba088383..713c9310f 100644 --- a/docs/policy/software-support.md +++ b/docs/policy/software-support.md @@ -66,7 +66,7 @@ If you are on triage duty, your responsibilities are as follows: tackle the issue again. - **Review and approve/deny COManage site contact registrations:** - Follow the instructions to review site contact registrations [here](comanage-instructions-admin.md). + Follow the instructions to review site contact registrations [here](../operations/comanage.md#contact-registration). - **Review Topology data pull requests:** Review any [Topology PRs](https://github.com/opensciencegrid/topology/pulls) that update anything in the diff --git a/mkdocs.yml b/mkdocs.yml index 568589247..8af52ecd6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -31,6 +31,8 @@ nav: - How to Request Tokens: 'software/requesting-tokens.md' - Technologies: - OSPool Containers: 'software/ospool-containers.md' + - Operations: + - COManage: 'operations/comanage.md' - Software Support: 'policy/software-support.md' - Effort Tracking: 'software/effort-tracking.md' - Release Planning: 'software/release-planning.md' @@ -57,7 +59,6 @@ nav: - Container Release Policy: 'policy/container-release.md' - 'Community Testing': 'policy/community-testing.md' - New OSPool User Registration: 'policy/new-ospool-user.md' - - Approving COManage Registrations: 'policy/comanage-instructions-admin.md' - Handling Topology/Contacts Registrations: 'policy/topology-registration.md' - Documentation: - Writing Documentation: 'documentation/writing-documentation.md'