CERN Account — LLMpedia

CERN Account
Name	CERN Account
Established	1954
Organization	CERN
Primary use	User identity and access management for Infrastructure, Experiments, and Services at CERN
Website	CERN internal services

Contents

Overview
Account Types and Services
Authentication and Security
Provisioning and Management
Access Policies and Usage Guidelines
Integration with CERN Systems and Tools
Support and Troubleshooting

CERN Account

A CERN Account is the central identity used by staff, fellows, students, users and visitors to authenticate to services operated by CERN. It provides credentials, authorization tokens and directory entries that enable access to computing resources, mail, collaboration platforms and experiment-specific systems. The account interfaces with institutional processes, collaboration workflows and site-security mechanisms operated in concert with European and international laboratories.

Overview

A CERN Account links an individual's identity to directory entries, mailboxes and access control lists used by CERN services such as LXPLUS, Indico, EDMS, CASTOR, and EOS. Typical account holders include members of ATLAS, CMS, ALICE, LHCb, ISOLDE and users from partner institutions like CERN Member States, European Organization for Nuclear Research collaborators, and visiting scientists from Fermilab, DESY, KEK and SLAC National Accelerator Laboratory. The account exists within the context of organisational units such as Human Resources (CERN), ERP, and access control systems used by facility groups like Accelerator operators and Engineering teams.

Account Types and Services

CERN maintains several account classes: long-term staff and fellow accounts associated with Employment contracts, short-term guest accounts for Visiting Researchers and transient accounts for Workshop attendees and conference participants. Accounts provide services including CERN mailbox via IMAP/SMTP, calendar and contacts via Microsoft Exchange or Office 365 integrations, web single sign-on to SAML-enabled portals, tokens for Grid computing and HTCondor, SSH keys for Linux systems such as CERNVM, and Kerberos tickets for cluster authentication like AFS. Special-purpose accounts support experiment databases, control rooms, and SCADA front-ends used by detector operations teams.

Authentication and Security

Authentication mechanisms combine passwords, SSH key-pairs, X.509 certificates used by Worldwide LHC Computing Grid, and multi-factor authentication (MFA) solutions. Security policies incorporate password complexity, periodic rotation, account lockout, and privileged access controls aligned with practices from ENISA and standards such as ISO/IEC 27001. Accounts used for remote access are protected by Virtual Private Network services and bastion hosts compliant with site perimeter systems; experiment accounts used for critical operations are audited with SIEM tooling and logging into ELK Stack or similar. Identity federation allows authentication via eduGAIN and partner identity providers from institutions like University of Oxford, CERN School of Computing participants, and Ecole Polytechnique affiliates.

Provisioning and Management

Account lifecycle management is driven by HR events, supervisor approvals, and collaboration membership records maintained in databases integrated with LDAP directories and the CERN central database. Provisioning workflows interact with systems such as PeopleSoft or SAP for payroll and contract data, and with Indico and InspireHEP for conference or collaboration membership validation. De-provisioning processes revoke credentials, remove SSH keys, and archive mailboxes in compliance with data-retention rules overseen by CERN Data Protection Officer policies and European Commission regulations. Delegated administration delegates roles to group managers from collaborations like ATLAS Collaboration or service teams such as IT‑DB.

Access Policies and Usage Guidelines

Access to resources via an account adheres to authorization matrices maintained by service owners, experiment boards and access committees, with role-based permissions for groups like Detector Operations crews, Software development teams, and Computing Operations staff. Usage guidelines specify acceptable use of mail, resource quotas on EOS and CVMFS, and rules for remote code execution in batch systems such as HTCondor pools. Compliance obligations reference agreements with funding agencies, memoranda of understanding between CERN and collaborating institutes, and institutional policies enforced by CERN Legal Service and the Data Protection Officer.

Integration with CERN Systems and Tools

The account integrates with collaboration platforms including GitLab, JIRA, Confluence, and literature services like InspireHEP. It enables access to computing fabrics such as the Worldwide LHC Computing Grid, OpenStack clouds, and container registries used by CERN OpenStack and Kubernetes clusters. Monitoring and ticketing systems like RT (Request Tracker), ServiceNow, and Nagios use account identities for incident assignment and escalation. Scientific software stacks distributed via CernVM-FS and analysis frameworks for ROOT and Geant4 rely on account permissions for repository access.

Support and Troubleshooting

Support for account issues is provided by CERN's User Support and IT Department helpdesks through ticketing, phone and walk-in services at service points and remote channels. Common troubleshooting steps include password reset with verification against HR records, SSH key reinstallation, MFA token re-synchronization, and directory replication checks involving LDAP diagnostics. Escalation paths involve service owners, security teams, and computing operations for incidents affecting experiment shifts or production grids, often coordinated with external partners such as Tier-1 and Tier-2 computing centres.

Category:Information technology at CERN