Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
264 lines (161 sloc) 18.8 KB
title teaching exercises questions objectives keypoints workshopOverviewName workshopOverviewURL lessonOverviewName lessonOverviewURL previousEpisodeName previousEpisodeURL nextEpisodeName nextEpisodeURL
The CO
Question here
List the objectives
List the key takeaways for the episode
COmanage Workshop: Managing Identities & Collaborations
CO320 - Modeling Your Organization in COmanage
2. The COUs

COmanage is a multi-tenant tool. This means that for each installation, one or more top-level tenants can be expressed. Each is called Collaborative Organizations or COs⚙️ objects. Individuals are added to these fundamental objects, but once there, they can be included in multiple sub groups of the CO⚙️.

1. The Collaborative Organization (CO⚙️)

The term “Collaborative Organization” or CO⚙️ refers to any formal or informal group of individuals that work collaboratively in a digital setting. They have a goal of a shared infrastructure that supports their collaborations so that the traditional limitations of localized applications may be overcome. In the last lesson, we referred to this group of individuals as "your organization or collaboration." Going forward we will just use the term CO⚙️.

Some traits of these COs⚙️ include:

  • These individuals use a common workflow for adding collaborators.
  • They share common policies for vetting the identities of collaborators.
  • They may include individuals in a single organization, or individuals may be in multiple organizations, geographically different regions, or even work independently.

While COmanage can support multiple COs⚙️, it is rare for deployers who are just getting started to have more than one. During this workshop, each of us will be working with just one COs⚙️.

Administrator Roles

COmanage Registry defines several types of administrators.

CO Administrators👑

CO Administrators👑 are super users within a CO. The types of activities that a CO Administrators👑 can do include:

  • Configure a CO⚙️
  • Add people to the CO⚙️ (using an enrollment workflow. we will talk about these in a future lesson)
  • Manage CO Person⚙️ information for people connected to the CO⚙️
  • Create and manage sub groups within the CO⚙️ (we will be talking about these sub groups in the next section.)
  • Connect the CO⚙️ to provision applications to enable/disable their access and use by those in the organization or collaboration

Other top-level administrators

CMP Administrators👑 (aka Registry Admins)

CMP Administrators👑 (COmanage Platform Administrators) are effectively super users, with the ability to perform almost all operations on the platform. The types of activities that CMP Administrators can do include:

  • Configure the COmanage platform including creating new COs⚙️
  • and everything that a CO⚙️ Administrator can do EXCEPT for adding people using an enrollment workflow (unless the CMP Administrator is explicitly granted this permission in the workflow.)

System Administrators👑

System Administrators👑 have privileges that enable them to maintain the COmanage application. These capabilities include the ability to provision cluster resources (for example, hardware, virtual machines, etc), Register and maintain IP Addresses, administer application upgrades, manage and conduct operating system upgrades and conduct backups.

Hands on - The organization model - COs

Interactive system activity

In this lesson you each will start to build an organizational model to serve as an example. Using the Modeling Organization 📝, write down a name for the CO⚙️ you will be working with for the workshop. Consider the people that you outlined in the first lesson, and pick a CO⚙️ to which these individuals would be belong (along with the person's memberships that you have outlined.)

[5 min]

Hands on - CO Settings

Interactive system activity

COs⚙️ have a number of settings that will dictate how it will behave. These settings are outlined on the worksheet, CO Planning Worksheet 📝.

Most CO Settings only make sense in specific contexts and may need additional set up to take effect. For example, the automatic expiration setting only makes sense once Expiration Policies are defined.

As we review each of the settings, mark the values for each on the worksheet for your CO⚙️.


There are several features that can be enabled on a CO⚙️. The default values will be sufficient for most needs:

  • Automatic expiration (default: enabled) - In the last lesson we learned that CO Person⚙️ objects have validity date. The status of the CO Person⚙️ can be set to expired when the validity date range has passed. Here you can disable this feature of automatic expirations.
  • Organizational Identity Source⚙️ sync (default: enabled) - As you know from our last lesson, the cached Organizational Identity Source Record⚙️ can be automatically synced to its source according to its defined schedule. Here you can disable this automatic processing.
  • Normalizations (default: enabled) - COmanage supports the concept of data normalization. For example, upon entering the text " los angeles " into a field, normalization could correct that to "Los Angeles". Here you can disable this automatic processing.
  • NSF Demographics (default: disabled) - COmanage supports the collection of NSF Demographic Information. Here you can enable this collection.

Validity Timeframes

  • Re-provisioning (default: 1 day (1440 min)) - COmanage can enable information exchange to external systems through provisioning. If the validity status of the CO Person⚙️ changes, you likely will want provisioning to change as well. This setting allows you to set a delay before this action occurs to provide flexibility to correct inaccurate status changes.
  • Email confirmation (default: 1 day (1440 min)) - Email addresses can be confirmed through COmanage. This security setting allows you to automatically expire the confirmation link after a set period of time.

Data fields

In this section, you can set the required fields for physical addresses and names. You can also set what name fields are permitted.

Use rules

  • Sponsor Eligibility Mode (default: CO or COU Admin) - We have not yet talked about sponsorship or many of these roles. This setting determines who is eligible to sponsor others. < LDP: this isn't enough information to explain what sponsors are -- definition requested in slack. >
  • Terms & Conditions (default: not enforced) - COmanage can require users to accept terms & conditions when they login. You can use this setting to turn on this feature.

[15 min]

Hands on - Create a CO⚙️

Interactive system activity

We will now implement what you have specified on your worksheets.

Sign into COmanage

  1. Using the credentials you specified as part of the COmanage setup, sign into the system. These credentials have Platform Administrator privileges which enable you to create COs⚙️. Once you sign in you will see a list of available collaborations.

Create a CO⚙️

REQUIRED ROLE: CMP Administrator👑

  1. From the menu, select Platform > COs to display the CO Management Overview List.

Screen shot - Navigate to the CO Management Overview List

  1. Click the "Add CO" link above the table on the right side to add a new CO⚙️.

Screen shot - CO Management Overview List

  1. Fill in the fields from the Metadata section of CO Planning Worksheet 📝:

    • The name of your CO. This name will be displayed on lists and elsewhere. It is a good idea for this name to be descriptive, but relatively short.
    • Description. Write a short description of your CO. This description will be helpful for those who may not be familiar with your CO's name.
    • Status. There are three choices for the status:
      • Active - you will select this one. Your CO will be immediately active upon its creation. SELECT THIS VALUE
      • Suspended - Useful if you do not want your CO to be active.
      • Template - Useful if you want to create several COs based on the configuration from this one.
  2. Click the ADD button to save your new CO⚙️.

Configure your CO⚙️ Settings

REQUIRED ROLE: CMP Administrator👑 -OR- CO Administrator👑

  1. Navigate back to the Collaborations List by selecting "Collaborations" from the menu.
  2. From the Collaborations list page, click on the name of the Collaboration that you just created.
  3. In the CO menu, click on the "Configuration" link to see the list of customizations that you can make. Click on the first link, CO Settings to adjust the settings.

Screen shot - Navigate to COSettings Configuration > CO Settings

  1. Using the values that you put in your CO Planning Worksheet 📝, adjust the settings for your CO.
  2. Click the SAVE button to save your work.

Establish a CO Administrator👑

Now that you have created a CO, you should set up at least one person as its administrator. For this example, you do not yet have any CO Persons⚙️ that you can assign to this role. Instead, you will manually create records to create a CO Person⚙️ and set up yourself as that administrator.

  1. Ensure that you are signed in and are looking at the CO that you created.
  2. Navigate to the Organizational Identity List using the menu on the left by clicking People > Organizational Identities

Screen shot - Navigate to People > Organizational Identities

  1. Click on the Add a New Organizational Identity link to open a form to create a new Org Identity⚙️. NOTE: generally you will not be performing this function manually, so we will include the minimum attributes and information here.

Screen shot - click Add a New Organizational Identity

  1. We will be adding the Org Identity⚙️ for the person that you have listed as the CO Administrator👑 on your Workshop Reference Document. You have the following values (although, you are welcome to fill out additional fields if desired):
  • Given Name (givenName)
  • Family Name (sn)

When you are finished, click the ADD button to save the new Organizational Identity. This action will bring you to the edit form for the Org Identity⚙️.

  1. You will need an email address associated with this Org Identity:gear to send an invitation to this person to sign in. Add the email address for the person by clicking the Add button in the Email addresses section. Fill in the form that is presented with the email address for the individual, and click the ADD button to add the email address.

Screen shot - click Add Email

  1. You also will need an identifier for this person that will match the account that they will use to sign in. Click the Add button in the Identifiers section. Fill in the form that is presented with the ePPN (including the scope). Be sure that
  • The Type is "ePPN"
  • The Login is checked, indicating that this is the identifier that will be used for the person to sign in
  • The Status is "Active"

Screen shot - click Add Identifier

  1. Now that you have an Org Identity⚙️ with an email address, you can invite this person (you!) to be a member of your CO⚙️. On the menu on the left, select People > Invite to start the process. This action will bring you to a list of Org Identities⚙️ that both have an email address, and has not yet a part of the CO⚙️ or been invited to join. You will see the Org Identity⚙️ that you created on this list.

Screen shot - Find a person to invite to your CO

  1. Click the Invite button, review the form that appears as a result, and then click the "SEND INVITE" button. This action will send an invitation email to the address stored, and will add a CO Person⚙️ attached to the Org Identity⚙️ to the CO⚙️. This means that this new CO Person⚙️ will appear in the population list for the CO. (The population list appears once the invitation is sent.)

Screen shot - My Population List

  1. Before this person's invitation will work, enabling the person to sign in, you will need to make a few more changes. (Don't worry too much about these steps at the moment. We will go over them in depth over the next several lessons.)
  • Add a role for the person. From the My Population List (displayed as a result of the previous step), click on the Edit button to open the edit form. In the Role Attributes section, click the Add button to add a role. Don't make any changes to the form that is displayed - just click the ADD button. Click the SAVE button to return to the original form.
  • Add the person to the CO:admins group. In the Groups section, click the Manage Group Memberships link. for the CO:admins group, check the Member checkbox in the Actions column. Click the SAVE button at the bottom of the list to save this action. Navigate back to the CO Person⚙️ to check that this person is now a part of the administrators group for the CO⚙️

Screen shot - CO Person Edit screen with "Manage Group Memberships" highlighted

  1. Look for the invitation at Mailinator. In a new browser window, navigate to In the box at the top of the screen, type the email address of the person that you just invited to see that person's public inbox. (note: this is just for demonstration purposes - of course, you wouldn't use Mailinator email addresses when really inviting people.) When you click the Go! button, you will navigate to the inbox.

Screen shot - Mailinator

  1. Open the invitation email. Copy the link address (mailinator will not provide functioning links, so you must copy the text.).

  2. Open a PRIVATE or INCOGNITO browser window and paste the URL in the address field to view the result of the invitation. Click on the Accept button to accept the invitation.

Screen shot - Accept the invitation

  1. From this same PRIVATE or INCOGNITO browser window, log in as the CO Administrator that you just added. You will need to use this user's UID and the training password.

CONGRATULATIONS!! You have just created and configured your first CO.

[25 min]

Terminology & resources

COmanage Objects ⚙️

CO⚙️ any formal or informal group of individuals that work collaboratively in a digital setting. They have a goal of a shared infrastructure that supports their collaborations so that the traditional limitations of localized applications may be overcome. CO320-01 (this section)
. ****** CO310 - Modeling People in COmanage ****** .
CO Person⚙️ The representation of a person in COmanage CO310-01
CO Group⚙️ A specific COmanage organizational structure for representing certain collections of CO Persons⚙️ CO320-03
Organizational Identity Source⚙️ Information about a person as obtained from an external source such as LDAP, netFORUM or ORCID CO310-02
Organizational Identity Source Records⚙️ COmanage's cached value of the values at the source CO310-02
CO Person Role⚙️ The representation of a person's role in COmanage. This object describe the person's role with certain collections of people within your organization or collaboration. These objects are attached to ⚙️ CO Person objects; there may be any number of Roles. C0310-04

CO Person Roles 👑

CMP Administrators👑 CMP Administrators are effectively super users, with the ability to perform almost all operations on the platform. CO320-01 (this section)
CO Administrators👑 CO⚙️ Administrators are super users within a CO. These individuals belong to the CO:admins group of the CO⚙️. CO320-01 (this section)
System Administrators👑 System Administrators have privileges that enable them to maintain the COmanage application. CO320-01 (this section)

Worksheets 📝

Modeling Organization 📝 Planning sheet used in this lesson for understanding how the parts of the COmanage Organization fit together CO320 (this lesson)
CO Planning Worksheet 📝 Planning worksheet for creating your CO(s). Contains all of the configuration sections at a glance CO320-01 (this section)
. ****** CO310 - Modeling People in COmanage ****** .
Modeling People 📝 Planning sheet used in this lesson for understanding how to model people in COmanage. This sheet is used to organize how specific people and their relationships would be expressed within COmanage CO310


LESSON OVERVIEW: CO320 - Modeling Your Organization in COmanage

WORKSHOP OVERVIEW: COmanage Workshop: Managing Identities & Collaborations

You can’t perform that action at this time.