THE VIRTUAL ORGANIZATION MANAGEMENT REGISTRATION SERVICE L. Bauerdick, I. Fisk, A. Heavey, T. Levshina, P. Mhashilkar, R. Pordes, J. Weigand, S. White, D.Yocum, FNAL, Batavia, IL 60510, USA A.Sill, Texas Tech University, Lubbock, TX 79409 G. Carcassi, BNL , Upton, NY 11973-5000 Abstract Currently, grid development projects require end users to be authenticated under the auspices of a "recognized" organization, called a Virtual Organization (VO). A VO establishes resource-usage agreements with grid resource providers. The Virtual Organization Management Registration Service (VOMRS), developed at Fermilab, provides a comprehensive set of services that facilitates management of VO membership and privileges. It implements a registration workflow that requires email verification of identity, VO usage policy acceptance, membership approval by designated VO representatives or administrators, and allows for management of multiple grid certificates, and the selection of group and role. VOMRS maintains a VO membership status and a certificate level status for each member, allowing for VO- level control of a member's privileges and membership. VOMRS is capable of interfacing to local systems with personnel information (e.g., the CERN Human Resource Database), and pulling relevant member information from them. VOMRS membership data can be configured to synchronize with the VOMS system (developed jointly for DataTAG by INFN and for DataGrid by CERN) with all approved members’ certificates and privileges. The current architecture and state of deployment will be discussed. VOMRS SCOPE VOMRS offers a comprehensive set of services that facilitates secure and authenticated management of VO membership, grid resource authorization and privileges. It implements a registration workflow providing means for collaborators to register with a Virtual Organization (VO). VOMRS supports management of multiple grid certificates per member and permits VO-level control of a member's privileges. It offers a subscription service that sends email notifications when selected changes are made to information about a member's VO membership status and/or when actions are required by members or administrators. VOMRS supports VO-level control over the trusted set of Certificate Authorities (CA). It provides the capability to delegate responsibility among several VOMRS administrators for approval of VO membership, group membership and group roles. It is capable of interfacing with other third-party systems allowing membership information shared. VOMRS Place in Grid World The VO management and authorization infrastructure consists of several independent modules: VOMRS [1] • The registration service VOMS [2] • The EGEE VOMS Admin service provides the distributed storage of member DN, CA, groups and roles, and a means to handle this data. • The DataTag VOMS Core service generates extended proxy upon member’s request which include group and role as extended attributes. Prima [3] The PRIMA authorization module provides fine grain authorization utilizing the extended attributes of the VOMS proxy. • On the Compute Element (CE) node through a Globus gatekeeper callout. • On the Storage Element (SE) node through the gPlazma system. GUMS) [4] • Provides site-consistent user and group assignment • Interfaces and extensions to the data storage systems • Some additional security service deployed at the gird site (e.g. SAZ [5] at Fermilab) that provides additional level of authorization control to site grid resources