Skip to content

GMS Membership Management

GMS is a Group Management System for both authorisation to CERN systems and mailing lists. For information on the treatment of membership during the Egroups to GMS migration please see the dedicated documentation on migration.

Who can be a member of a GMS Group?

Identities

Identities are a collection of information about a person along with their accounts.

For example: Jane Doe (jdoe) is a STAF member in BE with a CERN primary account jdoe. She has connected her Linkedin account to her Identity so that she will be able to access her tax certificates & alumni platform after her contract ends. She has a registered external mail jdoe@gmail.com.

If jdoe is part of a group, she is part of it regardless of whether she authenticates with Linkedin or with her CERN account.

Unconfirmed Identities are placeholders that reserve group membership until someone has logged in with an account that matches the email. In the GMS portal they appear as Mail Recipients. This allows people to receive emails for GMS groups that are mailing lists even if they have never logged in to CERN.

Groups

Groups can be part of GMS groups. They can contain further groups or identities.

Applications

Behind each application registered in the Application Portal there is an identity. This allows applications (usually used as an OAuth client) to receive the access rights granted via group membership.

Mailing list recipient emails

By default, the email of the Identity's primary account is the communication email for GMS groups used as mailing lists. It can be overwritten to become a different email owned by the Identity.

Through the web interface this is done by searching by email and selecting an new member to add. The full feature is pending release.

Through the API this is done by specifying the mailingAddress property when adding members.

curl -X 'POST' \
  'https://authorization-service-api.web.cern.ch/api/v1.0/Group/GROUPID/members/identities' \
  -H 'accept: text/plain' \
  -H "Authorization: Bearer $API_ACCESS_TOKEN" \
  -H 'Content-Type: application/json-patch+json' \
  -d '[
    {
      "id": "1234567",
      "comment": "adding by personID"
      "mailingAddress": "jdoe@gmail.com"
    }
  ]'

Removing non-active members

For professional GMS groups we highly recommend selecting "Purge non-active Users" in the GMS portal (removeNonActiveMembers in the API). This will mean that members are removed when they are no longer active at CERN.

For GMS groups with many external members (such as clubs and alumni) we do not recommend ticking this option as any members that are known CERN Identities will be removed when they leave CERN.

Membership restrictions

You can enforce that members of a group are also members of other groups. This feature is typically used to ensure that ineligible members are removed based on their properties, e.g. sys-admins-it-xxx has a membership restriction group of it-dep to ensure that people are removed if they leave the IT department