====== Entitlement attribute ====== Proxy IdP can release the attribute Entitlement. This attribute is used for specification of particular services when a user has a right for it. His values are defined by agreement between the identity provider and the service provider. It´s consists of: * ** A list of groups** – where is the user a member and about what the service has an interest * Group entitlement (only VO) - value: //urn:geant:muni.cz:group:MU#idm.ics.muni.cz// * Entitlement (only group in VO) - value: //urn:geant:cesnet.cz:group:einfra:group1#perun.cesnet.cz// * **Resource capabilities** – it´s used to indicate rights to resources and is expressed by a URN namespace which is used for representing group membership and role information. * Resource capabilities - value: //urn:geant:cesnet.cz:res:TestingCapabilitiesValue1#perun.cesnet.cz// * **Forwarded entitlement**- this attribute is provided by organizations with no possibility of change. * Forwarded entitlement - value: //urn:geant:muni.cz:group:MU#idm.ics.muni.cz// ===== The description of attribute´s values ===== There is an example of attribute values and its description. The syntax can look like: //urn:geant:cesnet.cz:res:TestingCapabilitiesValue1#perun.cesnet.cz// * **urn:geant:cesnet.cz** - a prefix which represents a namespace of ProxyIdP * **res:TestingCapabilitiesValue1** - a value * **perun.cesnet.cz** - a suffix which represents the authoritative provider of the attribute ===== How to set resource capabilities (the old GUI) ===== - Find the service which is represented by a facility in the system. You will find it in a board "Facility manager" on the left where is the option "Select facility" . - When you chose the facility, you can create a new resource. Just click on „create“. - Fill in „name“ and „description“ and „for VO“. In the next step, click on „Finish“. - Open the new resource and then the bookmark „service settings“. Here you can set the attribute „resource capabilities“. It has a form **res:**, where is submitted by the name of the resource. Then save it. - Then ask a manager of VO to assign the group to this resource.