Skip to content

Identity and authentication

This page describes how user identities are managed and how authentication works for accessing platform services.

Identity management is designed to ensure security, traceability, and alignment with GDPR and ISO/IEC 27001 information security practices.

Institutional identity

Access to the platform is based on institutional digital identities.

  • Internal users authenticate using their University of Bologna account
  • Each user is associated with a unique, personal identity
  • Shared or generic accounts are not permitted

This approach ensures accountability and traceability of user activities.

Project-based authorization

Authentication confirms who you are.
Authorization defines what you are allowed to access.

Access rights are granted:

  • Per project
  • Per service (HPC, S3 storage)
  • For a limited duration

Users can only access the resources explicitly approved for their project.

Authentication methods

Depending on the service, authentication may involve one or more of the following:

  • Institutional Single Sign-On (SSO) for VPN access
  • Username and password authentication
  • SSH key-based authentication
  • Access keys (for S3 storage)
  • Multi-Factor Authentication (MFA), where required

The exact authentication method depends on the service and the classification of the data involved.

HPC access

Access to the HPC cluster requires connection to the University network.

  • Users must authenticate using their institutional account to access the VPN of the Cesena Campus
  • Once connected to the VPN, access to the HPC cluster is provided using a personal account assigned by the platform administrators
  • Authentication can be performed using:
  • Username and password
  • SSH key-based authentication (recommended)

Passwords must be changed periodically and at least every three months.

S3 storage access

Access to the S3 storage service is based on access credentials:

  • Access key
  • Secret key

These credentials:

  • Are assigned to individual users or projects
  • Must be kept confidential
  • Must be rotated periodically (at least every three months)

Access to the S3 service from outside the University network may be restricted to authorized IP addresses.

Credential handling rules

Users are responsible for protecting their credentials.

Users must:

  • Keep passwords, private keys, and access keys confidential
  • Use strong passphrases
  • Avoid storing credentials in plain text
  • Never commit credentials to code repositories
  • Never share access with other users

Failure to comply with these requirements may result in suspension or revocation of access.

External collaborators

External collaborators may be granted access if:

  • They are formally involved in an approved research project
  • Appropriate legal agreements are in place (e.g. DTA, DPA)
  • An institutional or federated identity is available

Access for external collaborators is typically limited to the duration and scope of the project.

Account lifecycle

User accounts follow a defined lifecycle:

  1. Account creation following formal approval
  2. Periodic review of active accounts
  3. Suspension or removal at project end or upon termination of affiliation

Accounts that are no longer required are disabled to reduce security risks.

Logging and traceability

Relevant authentication and access events are logged and monitored for security and compliance purposes.

Logs are used to:

  • Detect security incidents
  • Support audits
  • Investigate misuse or policy violations

Log data is handled in accordance with institutional policies and data protection requirements.

What to do in case of issues

If you suspect that your credentials have been compromised:

  1. Stop using the affected credentials immediately
  2. Contact platform support as soon as possible
  3. Follow the instructions provided by administrators

Prompt reporting helps limit potential security impacts.

Next steps