1.0 Overview
This document defines the policy and guidelines for account access into the Institute of Computational and Data Sciences (ICDS) high performance computing (HPC) systems. These resources are provided in conjunction with complimentary services to serve Penn State’s academic research community.
2.0 Purpose
The purpose of ICDS-P030 is to establish policy for the lifecycle management of ICDS accounts that are in concurrence with the latest revision of this document.
Use of ICDS resources is restricted to facilitating research within the University or other function(s) pre-approved by the ICDS Director or their designee. Anyone violating these guidelines and/or policy is subject to suspension and/or termination of their ICDS account.
3.0 Professional Acknowledgement
Users are asked to acknowledge their use of ICDS resources in resulting publications and reports with the following statement:
“This research or portions of this research were conducted with computational resources provided by The Institute for Computational and Data Sciences at The Pennsylvania State University (https://ICDS.psu.edu).”
Users are allowed to augment this statement with additional details to incorporate specific information as desired.
4.0 Scope
ICDS-P030 applies to any person with an ICDS user account, regardless of Penn State affiliation, as well as anyone who sponsors an individual with an account. In the absence of specific ICDS guidelines and policies, Penn State policies apply. ICDS-P030 augments the following Penn State policies:
- AD11 – University Policy on Confidentiality of Student Records
- AD95 – Information Assurance and IT Security
- AD96 – Acceptable Use of University Information Resources
- HR102 – Separation and Transfer Protocol
5.0 Guidelines Policy
5.1 ICDS Accounts
ICDS user accounts are composed of user categories as described in the table below:
User Category | Description |
---|---|
Principal Investigator (PI) | A Penn State faculty or leadership sponsor typically overseeing a research effort. PIs may sponsor any number of accounts, but these accounts must be used for research or education use only. PIs are responsible for all their sponsored account users. These accounts are subject to periodic review and will have to be renewed if the sponsoring faculty or the account holders change their university affiliation or fail to comply with Penn State or Roar account policies. All user accounts will be assigned resources and job priority based on the allocations and priorities of their sponsoring PI. For additional details related to education use, please see “classroom support policy”. |
Students/Postdocs/Researchers | Any graduate student, undergraduate student, postdoc, or other researcher supporting a PI’s research |
Staff | Any Penn State employee supporting a PI’s research. |
Sponsored Guests | A person supporting a PI's research who is not currently affiliated with Penn State University and who works closely with a PI. |
ICDS account User IDs are based on Penn State Access ID.
5.2 ICDS User Account Requests
User accounts are available through an account request process (ref. section 8.2 Workflow diagram). The accounts are governed by the following requirements for all users and sponsors.
5.2.1 Users
- User accounts are available to Penn State faculty, students, postdocs, staff, and sponsored guests already having a University access ID.
- Sponsored Access Accounts must be requested by the PI through Accounts Office ( https://accounts.psu.edu/ ).
- ICDS will not be responsible for creating sponsored accounts.
- ICDS User Accounts for Penn State students, postdocs, staff, and guests require a PI sponsor (reference section 5.2.2, Sponsors)
- New users must submit a completed online Account Request form for a user account
- The account request form may be accessed directly via Penn State Web Access https://accounts.aci.ics.psu.edu/ or via the ICDS web site https://ICDS.psu.edu/ and selecting “Account Request”
- User Account requests are processed through the Client Support Center. Please contact Client Support Center staff at icds@psu.edu for assistance with requests if necessary
- Additional approvers may be required as necessary depending upon the details provided in the account request (e.g. computational and data requirements that span multiple departments)
- The account holder and their sponsor will be notified via email that the account request has been processed and an account has been created (or denied)
- ICDS will periodically review accounts, in accordance with Penn State policies. During this review, users that have lost affiliation with Penn State will be marked Inactive (see 5.6 Account Lifecycle).
- If a user would like to delete or mark an account as inactive, because they are leaving Penn State or otherwise lose affiliation with Penn State, they can notify ICDS via email to icds@psu.edu.
- Users are responsible for promptly notifying ICDS via email to icds@psu.edu if their sponsor needs to be changed (e.g. sponsor leaves or otherwise loses affiliation with Penn State)
- Users may be asked periodically by ICDS to renew their account.
- Users and their sponsors will be notified when their account has violated ICDS or Penn State policy
- Actions, including suspension or termination of the account, may be taken at the discretion of ICDS account managers. Please reference section 6.0 Enforcement later in this document.
- By providing your email address, you are subscribing to the Institute for Computational and Data Sciences news feed and will receive occasional emails with useful information about funding, training, system status (outages) and other opportunities. If you do not wish to receive the ICDS news feed, you may unsubscribe yourself. You will still receive emails related to system status.
5.2.2 Sponsors
- Accounts must be sponsored by Penn State faculty or other Penn State staff who have been pre-approved as sponsors by ICDS. Sponsors are herein referred to as a Principal Investigator (PI). PIs are responsible for overseeing the use of their sponsored accounts.
- A PI can sponsor multiple users, and users can be affiliated with multiple PIs. Users only require one sponsor.
- Account PIs are responsible for promptly notifying ICDS via email to icds@psu.edu if they cannot fulfill their duties as a sponsor (e.g. due to leave of absence from Penn State or loss of affiliation with Penn State). Account deactivation is included as part of the OIS leave/termination checklist.
- Account sponsors are responsible for promptly notifying ICDS via email to icds@psu.edu if any of their sponsored accounts should be terminated (e.g. a sponsored user leaves Penn State)
- PIs will be notified when an account that they sponsor has violated ICDS or Penn State policy
- Actions, including termination of the sponsored account, may be taken at the discretion of ICDS account managers. Please reference section 6.0 Enforcement later in this policy.
- PIs are responsible for oversight of accounts that they sponsor
- Sponsored accounts that violate policy are subject to suspension or termination of all of a PI’s sponsored accounts, including their own
5.2.3 Federated Accounts
ICDS services may support access to systems and data via federated authentication. Contact icds@psu.edu for further information.
5.2.4 Advanced Users
- All user accounts must operate under the principle of “least privilege” to ensure that processes operate at privilege levels no higher than are necessary to accomplish required functions
- Users may request an exception through an ICDS exceptions process to have elevated permissions on Roar instances to accomplish legitimate research needs. Approval is at the discretion of ICDS. This type of access is typically reserved for “Bring your own system” contracts.
- Users with the capability for elevated permissions are not permitted to enable elevated permissions for other accounts.
- Contact icds@psu.edu for further information.
5.3 Account Administration
User account requests and modification records are retained according to auditing requirements for OIS Level 3 and Level 4 data access control and as required by the funding grant agency.
5.4 Account Attributes
Accounts are configured with the following attributes and associated data storage options.
Special requests should be submitted via an email to icds@psu.edu and are subject to ICDS exceptions process. All accounts are subject to the Account Audit process.
Attribute | Description | |
---|---|---|
Account Name | Penn State employee/student ID or Sponsored Access Account User ID | |
Computation Access | Dependent upon the PI’s Roar plan and associated Service Level Agreement (SLA). Plan options include: •Guaranteed Response Time purchased allocation •Open Queue - no cost Temporary 30-day trial •Try an allocation – no cost | |
Job Submission | Dependent upon the PI’s Roar plan and associated SLA | |
Storage Directories | See ICDS policy on data protection and retention | |
Wall Time | •14 day wall time limit for Open Queue •No wall time limit for paid accounts •Wall time allocations will be impacted by planned outages | |
Software Stack | Access to existing pre-installed software packages. The stack includes application-driving software (e.g., compilers and communication libraries) and commonly used research applications. See ICDS policy P040 Software Policy | |
5.5 Account Modifications
Requests to change account attributes must be submitted to icds@psu.edu. All account modifications must be approved by an ICDS account consultant and verified by the sponsor of the account.
5.6 Account Lifecycle
The following table lists the possible states for a Roar account.
Account State | Description |
---|---|
Pending | Login requires additional automated interaction (nightly batch processing) |
Active | Login directly |
Inactive | Login requires a state change initiated by either the end user or the ICDS Operations Team. Note: Inactive status may result from system default settings or manual intervention by System Administrators. Refer to Account Reinstatement for account restoration |
Deleted | Previously existing account is removed from the accounts system. |
The lifecycle of an account is dependent upon the user account type. The following table lists the maximum authorization periods for the different user categories:
User Category | Maximum Authorization Period |
---|---|
Faculty/PI | Indefinite as long as University affiliation is maintained or upon request for change to “Inactive” |
Students/Postdocs/Researchers/Staff | Two years or as authorized by the Sponsor; with annual review |
Sponsored Guests | One year or as authorized by the Sponsor; with annual review |
Account holders who leave the University will maintain their Roar account as long as their original Penn State Access ID remains active. See Identity Services’ “Access Account Deactivation and Extension” site for more details, including the default duration.
Faculty/PIs who leave Penn State and whose Roar account has transitioned into an “Inactive” state can reacquire a Roar account by first requesting a Sponsored Guest account from ITS and then submitting a Roar account request.
Accounts may be transitioned to “Inactive” in certain situations at the discretion of ICDS in coordination with the ICDS Leadership team. Situations where this can occur include:
- Any violation of Penn State or ICDS policies, guidelines, and procedures.
- Possible account compromise
- Loss of Penn State affiliation (in which case the user may be eligible for a sponsored guest account)
- Upon request of a sponsor who oversees the use of the account
- Activities deemed by ICDS as misuse of system resources
- In support of audit and account refresh events
All manual intervention instances will be adjudicated by ICDS Leadership for subsequent account restoration and administering corrective action as required.
Faculty/PIs who leave the University may transfer their sponsored accounts to other faculty/PIs upon mutual agreement of all parties involved.
The state of a sponsored account will parallel the state of the associated sponsoring account, with the exception of any sponsored account that previously has had separate actions taken against it. A sponsored account with multiple sponsors will remain active as long as one of the sponsoring accounts is active.
5.7 Account Deletion
The handling of any data associated with a terminated account is discussed in ICDS-P020: Data Protection and Retention.
5.8 Account Transfer and End User Status Changes
User accounts are only to be used by the individual to whom the account is assigned. Although data associated with an account may be transferred to another individual via processes outlined in ICDS-P020: Data Protection and Retention, a user account itself may not be transferred to any other individual.
5.9 Access Control
All access to ICDS resources should only be executed in a secure manner:
- All account credentials must be stored and transmitted in a manner meeting University and ICDS requirements
- Account holders are not permitted to enable “Guest” accounts or anonymous access to data or services hosted on ICDS secured resources, except where designated on collaborative environments.
- ICDS will provide a list of approved remote access mechanisms both on the ICDS website https://ICDS.psu.edu/ and in the account approval message to end users
- Shared accounts are not allowed on Roar resources, and it is the responsibility of the PIs to make sure that their sponsored users are aware of this. Sharing passwords or credentials is a violation of University and ICDS policies and procedures. (Reference AD96: https://policy.psu.edu/policies/ad96)
Remember: ICDS personnel will NEVER ask for a password.
All users, internal or external to ICDS, are required to lock their system in accordance with University policy and standards (i.e. AD95).
5.10 Compromise Response
See ICDS -P070 Incident Response Policy
6.0 Enforcement
All account policies exist to facilitate research. Any PI, Faculty, Student, or Sponsored Guest violating any of the above policies are subject to immediate termination of their account. Data will be retained and can be transferred to the PI. Any employee, student, or visitor found to have violated Roar-P030 may be subject to disciplinary action by their administrative unit, the college, or the University.
7.0 Supporting Documents
ICDS-P020: Data Protection and Retention