- This information is addressed to prospective LeoMed users and Permissions Manager and describes the process for getting access to a LeoMed tenant.
- This page is for non-BioMedIT projects. For instructions for BioMedIT tenants, see Requesting user access to LeoMed for BioMedIT projects
Intro
Before users can access a LeoMed tenant, the LeoMed support team needs to create and enable a user account. Depending on the type of access, and whether the user is ETH-internal or external, the LeoMed team needs certain information from the user. Note that users themselves cannot request access to LeoMed, but the request needs to come from the project's Permissions Manager (PM) or Project Leader (PL).
After receiving a request, the LeoMed support team will validate the request, set up the LeoMed user account, and provide the user with the account and login instructions.
Access to LeoMed is always protected via two-factor authentication (2FA), which the user will need to set up when accessing LeoMed for the first time. During the onboarding process, the user receives all necessary information to set up 2FA. Note that the 2FA for the remote desktop is distinct from the 2FA for SSH access.
Actions required by the User
Step 1: Assemble information
The user needs to assemble information and forward it to the Permissions Manager. The next paragraphs list which information is required and a Summary of mandatory information can be found at the bottom of this page.
Step 1a: Types of access
Two options for accessing LeoMed are available: command-line and remote desktop access. Depending on the type of access required, the user needs to provide the following information to the PM:
- To access Leonhard Med via the command line, the SSH protocol is used together with 2FA. To set up and enable a user account, the following information is required:
- ETH user name (ETH-externals, see below)
- public SSH key (How to create an SSH key pair); filename should be <ETH user name>.pub (ETH-externals should use <name-lastname>.pub)
- Note: if more than one computer is used, each of them should have a dedicated key pair; in this case the filename should be <ETH user name>[unique number].pub
- A link containing the QR code for the SSH 2FA is sent to the user's email address. The link is valid for five days by default and will expire if not used within this time frame. The link can be clicked only once and will be invalid immediately afterwards.
- To access LeoMed via the remote desktop, an HTML5 web application accessible via a web browser is used together with 2FA. To set up and enable a user account, the following information is required:
- ETH user name (ETH-externals, see below)
Public and private keys
We use Asymmetric Key Cryptography for connecting to the LeoMed Infrastructure via the command line. In order to connect to LeoMed you will need to create key pairs. A key pair consists of a public and a private key. You will be asked to share your public key with us. The public key contains no secret information, and you can even post it online for everyone to see.
Never share your private key (not even with colleagues, your PI...). If you share your private key or you assume that it has become public, report this incident immediately (Contacting LeoMed Support).
Step 1b: Sign the Leonhard Med Acceptable Use Policy
All users must follow the Leonhard Med Acceptable Use Policy (AUP). Users need to sign a confirmation to follow the AUP (form) and provide the signed document to the PM or PL.
Step 1c: ETH-externals: Guest user account
The LeoMed user account is linked to the ETH user account. For ETH-externals without an existing guest user account, the LeoMed team will create one. Users need to provide the following information to the PM:
- first name
- last name
- institutional e-mail address
Once created, the LeoMed team will send further instructions in an email to the user.
Step 1d: ETH-externals: Allowing institutional network
To access LeoMed, users need to be inside an allowed network (see VPN in the IT Knowledge Base). ETH-external users will not receive access to the ETH network. Therefore, SIS needs to allow the user's institutional IP address or network (see Adding network sources to the allowlist). The user needs to provide the PM with the necessary information, who will relay it to the LeoMed team.
Actions required by the Permissions Manager and Project Leader
Note that users themselves cannot request access to LeoMed, but the request needs to come from the Permissions Manager (PM) or Project Leader (PL).
Step 2: Ensure Compliance
The Project Leader ensures that all users with access rights to the data of a project or of a research group have signed an agreement (for instance via this form) stating that they will follow the Leonhard Med Acceptable Use Policy (AUP). Signing and storing of these agreements are under the responsibility of the PL and upon request, they must be made available to the Scientific IT Services. It is not required to include the signed form as part of the user account request to SIS.
Note that the IT Security Guidelines for Leonhard Med Endpoints, referenced in the AUP, is mandatory for members of ETH Zurich and serve as a reference for other institutions.
Step 3: Submit a Request
The Permissions Manager sends an e-mail to leomed-support@id.ethz.ch (please use this email template: user access) to request user access to LeoMed for single or multiple users.
Explicitly mention LeoMed access type: remote desktop and/or command-line.
Include the mandatory information collected in Step1 (also see Summary of mandatory information).
- If the IAM group for authenticating to a LeoMed tenant is managed by the project, confirm that the prospective user is part of the respective IAM group.
Use as title for the request e-mail “Leonhard Med Request for User Access to [tenant/project space name]"
Via this email, a service request ticket (OTRS) is triggered that will be handled by the Scientific IT Services personnel. Once the process of setting up the user access on Leonhard Med is completed, the user receives per e-mail the access information (including the encrypted QR code, if command-line access was requested) and instructions on how to log in. Once the two-factor authentication is configured, the user is able to access LeoMed.
Summary of mandatory information
The following information is required for different kinds of access and preconditions:
Request type | Access type | Tenant name | First name of the user | Last name of the user | ETH username | Institutional e-mail address | Public SSH key | Institutional IP/IP range |
---|---|---|---|---|---|---|---|---|
Remote desktop access | given by default | |||||||
SSH access | optional | |||||||
ETH-external: create guest user account | ||||||||
ETH-external: allowing external network source |