For world-class universities keen to make the most of finite research resources, there’s an overwhelming business case for using Assent, argues Jisc's Peter Atkins.
If you’re a researcher, you’ll recognise the issue immediately. Accessing multiple resources – from leading physics facilities to high-performance computing (HPC) – can mean passwords, passwords and more passwords, not to mention the struggle of dealing with X-509 certificates.
Lydia Heck, a senior computer manager in the Institute for Computational Cosmology at the University of Durham and manager of the DiRAC data-centric system there, says the process of acquiring grid certificates (which expire after a year) and proxy certificates (which can expire before a job is completed) can be “an ordeal”.
From a researcher’s point of view, a complicated access process is an obstacle to collaboration and a drain on precious time.
Among the other issues is that researchers are often signed into multiple facilities via different authentication processes, so it’s difficult to determine who’s using which site or facility, when.
And there’s a security angle, too: without a system tied to a university login, it’s hard to protect against “rogue users” – ex-graduates or ex-employees who use unexpired logins, using hard-won research time without authorisation.
What is really required is a system tied to a user’s university login.
Jisc's Assent service allows researchers to log into high-end research facilities and web-based resources with a single, university-assigned ID. All a researcher has to do is remember a single username and password.
Assent acts as a “trust broker” between the research facility (the “service provider”) and the researching university (the “identity provider”) – both of which subscribe to, and are trusted by, Assent.
Bill Pulford, science IT coordinator at synchrotron facility Diamond Light Source, has been leading a project to set up Diamond as an Assent service provider. Simplifying sign-in, he says, should help streamline workflows for researchers.
Pulford explains how it works in practice:
“Imagine a scientific research project such as finding new antibiotics to counter bacterial resistance; that is likely to be a collaboration involving a lot of different facilities, but Assent could help access these facilities during experiments.
“So you could log into Diamond and then access local instruments, an NMR (nuclear magnetic resonance) facility, a protein production factory, computing clusters and perhaps different small resources as well, at the same time.
“Collaborators could do the same from other facilities, and everyone would have the same view, which helps improve workflows as people acquire and analyse data. Without a common credential, and Assent technology, this is likely to be harder to manage.”
From the point of view of the facility, tracking Assent sign-ins could bring other benefits. Pulford adds:
“We’re under increasing pressure from government to record publications made by people who’ve done work at Diamond and to register publisher-centric ORCID identifiers (which identify individual researchers). Adopting Assent helps us harvest these ORCID IDs within the infrastructure that we’ve adopted.”
It’s reasonable to assume that such data could be useful to universities too – ultimately helping them take ownership of research usage data, and deriving academic value from statistical links.
And as for the rogue user problem, Assent stops it dead.
Jens Jensen, a scientist and researcher at the Science and Technology Facilities Council (STFC) sees how Assent can help there. He says:
"One of STFC's roles is to provide resources to researchers. As much of STFC's research infrastructure is expensive, we need to make sure it is used correctly by authorised people. A user who registers with a user office will get a credential from us, but it would make our lives easier if they could use credentials they hold already.
“The more credentials researchers have to manage, the more difficult it is for them – and the more likely it is they forget a password or to update their address when they change jobs."
But with Assent, says Jensen, identities are maintained separately from resources, so if the university email access is revoked, so are Assent privileges.
Chicken and egg
Establishing a trust network of organisations, however, can be something of a chicken and egg problem. Notwithstanding the valuable future benefits, universities’ IT teams may want to see Assent working “in the wild” before committing resources.
One short-term issue is that there is some technical work for universities to do, including setting up as an identity provider, before using Assent, which means making a business case for it.
Universities also need to install software on users’ desktops for Assent to work. Windows and Linux support for that technology is ready, and Mac support is imminent.
From her testing of Assent at Durham, Lydia Heck has noted that it takes some effort to work out how Assent fits together and acknowledges that it requires advanced technical knowhow – Jisc is looking at improving the documentation to help.
In the long run, the benefits of Assent look set to outweigh the short-term issues and, as initial users get the word out, it is hoped the trust network will grow, thus enabling more people and organisations to benefit from more effective, collaborative research.
At the same time, there are efforts to codify the issue of researcher sign-in. A pilot project, led by UCL and funded by the Engineering and Physical Sciences Research Council (EPSRC), is attempting to create a national infrastructure for research authentication. Assent looks set to be a cornerstone of this, so investing in it is a sensible strategy.
Ultimately, the essence of Assent is user simplicity – which makes business sense in the long run. “Let people concentrate on the science,” argues Pulford, “and we worry about the infrastructure.”
Find out more at Networkshop
Trust and identity is one of the topics we'll be covering at this year's Networkshop, which taking place in Nottingham from the 11-13 April 2017.
Join us on day three of the event for the parallel session on this topic, full details for all this year's sessions can be found in the Networkshop45 programme.
You can join the conversation on Twitter using #nws45.