Authentication, Authorization and Access

5/27/14 this information is obsolete, please see:

Strong Authentication Guide

The Strong Authentication guide is the definitive security document
The Strong Authentication Guide was revised in May 2014.
We give a synopsis here, targeted at Intensity and Cosmic frontier users,with links to the full documents.

  • Authentication determines the identity of you or your program.
  • Authorization determines what you are allowed to do


Fermilab strives for a single-signon model.
You do have a single username at Fermilab for most purposes.
The implementation of this can get complex, see the summary at Who Am I

There are several separate security realms, due mainly to incompatibility of client tools.

  • Kerberos - An unexpired kerberos ticket for your principal lets you
    • Login to Unix systems
    • Generate AFS tokens - for access to login area files
    • Generate X509 certs - for access to restricted web pages, including SAM via samweb
    • Generate VOMS proxies - for Grid job submission and GridFTP data access
  • Services - your LDAP account lets you log in to
  • OSG PKI SSL certificates let you
    • Access to restricted Web pages such as parts of DocDB
    • Access to Grid computing and GridFTP data movement
  • AFS tokens
    • Access login areas under /afs/*/
    • Access some web page source files
  • Kerberos WIN.FNAL.GOV - Windows only
    • For login to Windows systems

Who Am I Summary of identities