The primary goal of the Authentication and Authorization Infrastructure (AAI) is to provide centralized authentication and authorization mechanisms. In an environment based on the AAI, one of such authorization rules might be fulfilling the policy requirements, set i.e. in an AUP document defined by the community, service provider, or organizational unit. In general, when the resource owner or provider decides that a specific policy has to be enforced when the resource is used, AAI needs to provide a mechanism for both sides to manage and fulfill this requirement. These rules need to cover several cases, i.e. a situation of actively using the resource (i.e. web-based service login), as well as just-in-case scenarios, like the data provisioning.

This topic aims to explore the area of enforcing acceptance of Acceptable Use Policies as an activity of managing access to resources. We like to understand which parties (e.g. user communities, e-infrastructures, resource owners, …) need to be involved in the process and how to combine their requirements together. Based on the analysis we will develop a web-based application which will provide tools to manage AUPs on a central level (within the AAI) and let users approve (whilst recording this act) such a policy document.

The outcome should be a web application consisting of several modules. The first part will provide tools for resource owners to define the policies. The second module will serve users for approving the policy requirements. Another module will act as an integration point of this component into the AAI environment, i.e. by providing an API to query whether the policy authorization requirements have been satisfied.

From the resource owner's point of view, they need to have tools to set up policy enforcement. On the other end of the process, a user using the resource needs to be able to mark the fulfillment of such a requirement, i.e. by making a claim of accepting the AUP document contents and promising to follow the rules described in the document.

• application is not finished in time
• application cannot be integrated with a popular identity management system

There is almost no user data directly handled by the application. Authentication will be abstracted by OIDC, only user identifier (OIDC sub claim) will be handled.

• web app allows management (creation and editing) of AUP texts
• API provides a way to retrieve and approve AUPs
• user- or admin-facing parts are internationalized
• app is integrated with at least one identity management system

The final product will be tested as a part of the Life Sciences AAI (LS AAI), utilising the Proxy Identity Provider (SaToSa) and the Identity Management System (Perun) as the integration points.

• GitLab repository: https://gitlab.ics.muni.cz/perun-proxy-aai/aup-manager
• First public demo: https://drive.google.com/drive/folders/1wjrt3qJ6SgK4ir-HXGDjMuXe9q7wc6EW?usp=sharing