Responsible partner: CESNET

PERUN is an identity and access management system. It covers management of the whole user life cycle, including user registration, expiration or suspension of the user. It is a tool, whose key features are virtual organisation management, user management, group management, resource management and service management. The system can be customized for various use cases. PERUN has been designed to work in distributed environments like identity federations and grids.

PERUN does not manage primary user identities; users have to come with some existing identity like federated identity, social identity or digital certificate. Users can link those identities, so they will be recognized properly even if they use different identities. Users does not need to create any additional credentials, because PERUN can publish linked identities to the end services.

Because user communities usually already have some local user/group management system which cannot by simply connected to the federated services, PERUN supports import/export of existing users/groups. Currently, there is support for communication with external sources using VOOT, SAML2, LDAP, VOMS, SQL (MySQL, Oracle, SQLite) or import data from XML and CSV files. Synchronization can work in both ways.

Basic component for group management is virtual organisation (VO), this concept has been adapted from computational grid environments. Every VO can have several groups and each group can be nested like a tree, so it can have its own subgroup, where the access rights are inherited in the same way. Users be in several VOs as well in any number of groups. Each VO and each group has its own VO/group managers. VO can have not only groups but also resources which represent services to which VO members can have an access. Actually, access management in PERUN is done on group level. Every group can have an access to VO’s resources. The responsibility for the group management can be delegated from VO manager to the group manager. The group manager can be specific user from the VO or other exiting group in VO. Those group administrators obtain permissions to handle the access to resource/service via group membership, so the VO manager is not the only responsible person and does not have to handle all permission/membership issues in the VO.

PERUN is specific for its push mechanism which is used for delivering data about users and groups (authorization data) to the end services. Access management for federated services is supported by attribute authority (managed by PERUN), but the services which need to know about the user in advance (e.g. videoconferencing systems, reservation systems, computational resources) cannot use attributes about the users from identity federation, because they come when the user logs in. PERUN is able to push the information about users/groups to those services via various communication channels.

PERUN provides its functions and components via various APIs. The basic API is REST-like API, using JSON as a data container. In case some external system wants to use PERUN’s functions and components and does not want to use RESTlike API, there is possibility to connect via Java library, JavaScript library, PERL library or PHP library. PERUN pushes also information to the LDAP which is then used by Attribute Authority or Identity Provider, so information stored in PERUN can be used in identity federation world.

PERUN has several production deployments where manages tens of thousands users, hundreds of virtual organizations and manages access to nearly 2000 services.

License: FreeBSD License
Current deployments: Czech eInfrastructure, EGI, ELIXIR, SAGRID, Masaryk University
Modes of deployment: as a service or as a VM
Sustainability model: Maintained by CESNET and Masaryk University