.. _iam-group-naming:

IAM Group Naming
----------------

.. note::
    - **Last modified by**: Rob Barnsley
    - **Last modified date**: 18/11/2024
    - This is a work in progress and has not been subject to any formal approval.

The current naming convention for IAM groups follows the premise that permissions will need to need to be allocated for
two independent resources: **data** and **services**.

Data
^^^^

For data, the convention couples closely with the concept of **scopes** (namespaces) in Rucio. To access data in a
particular ``<namespace>``, one must be a member of a *subgroup* of the corresponding data group
``data/namespaces/<namespace>``. Which subgroup to be allocated is dependent on the access level permitted; currently
only one access level exists: ``owner``, i.e. ``data/namespaces/<namespace>/owner``. In the future, new access levels will
undoubtedly be required to further restrict by method of access.

Other subgroups of the ``data`` group may also exist in the future to accommodate the other native Rucio data types for
encapsulation, **datasets** and **containers**, so ``data/datasets/...`` and ``data/containers/...`` respectively, but
this is dependent on the chosen data model which is TBD.

Services
^^^^^^^^

For services, there is a further subcategorisation to distinguish between **global** and **local** services.

Global
~~~~~~

Groups for global services exist under ``services/<service>``. The level of access to each of the services is determined
by membership of the ``roles`` subgroup of each service. The values for ``<service>`` are listed under the **global**
array attribute at the Site Capabilities list service types endpoint,
`here <https://site-capabilities.srcdev.skao.int/api/v1/services/types>`_.

For ``-api`` services, the possible subgroups of ``roles`` can be viewed at the policy package endpoint for each service:
``https://permissions.srcdev.skao.int/api/v1/policies/route/<service>/latest``, where ``<service>`` is one of the types
above, e.g. `for the Data
Management API <https://permissions.srcdev.skao.int/api/v1/policies/route/data-management-api/latest>`_ there are
two roles subgroups: ``admin`` and ``developer``, i.e. ``services/data-management-api/roles/admin`` and
``services/data-management-api/roles/developer`` respectively.

For other services, the roles subgroups are application dependent, correlating with how the application partitions
access.

Local
~~~~~

Groups for local services exist under ``services/<src>/<service>`` where ``<src>`` is one of the formally recognised
names in the :doc:`SRC naming scheme </standards/src_naming>`. The level of access to each of the services is
determined by membership of the ``roles`` subgroup of each service. The values for ``<service>`` are listed under the
**local** array attribute at the Site Capabilities list service types endpoint,
`here <https://site-capabilities.srcdev.skao.int/api/v1/services/types>`_.

The roles subgroups are application dependent, correlating with how the application partitions access.