How Accounts are Managed at NERSC

This document describes how users and project managers can manage both user accounts and project accounts (called repositories).

• How Users can Manage their User Accounts
• How Project Managers can Manage their Users and Repositories
• Allocation Management: schedule of decrements for under-utilized repos
• What happens if a repo or user balance is negative?
• Login Name Management: the lifecycle of a login name
• User Deletion Process

How Users can Manage their User Accounts

Users can manage various aspects of their user account setup.

1. User Contact Information: Contact information for each user is kept in the NERSC Information management (NIM) system. In order to communicate effectively with users and in order to abide by DOE computer use regulations we must have the following information for each user: name, citizenship, email address, work phone number, and work institution (organization). Users are expected to keep their information current.

   To see your Personal Contact Information page in NIM select My Contact Info from the My Stuff pull-down list in the NIM main menu. To update this information, select the Update link.

2. Changing your Password and Shell on Machines managed by LDAP: LDAP (which stands for Lightweight Directory Access Protocol) is being used to manage a number of NERSC machines, including PDSF, Bassi and Jacquard. All LDAP-managed machines share a common password, which is the same as your NIM password. If you need to change a password on such a machine, change your NIM password and the new password will be propagated to the LDAP-managed machines within a few minutes. To change your NIM password, select Change NIM Password from the Actions pull-down list in the NIM main menu.

   On LDAP managed machines you must also use NIM to cahnge your default shell. To do this, select Change Shell from the Actions pull-down list in the NIM main menu.

3. MPP Default Charge Repository: Allocations of NERSC computer time are awarded into project accounts, called repositories or repos. Each user has a default repository. All interactive charges are charged to the default repo. Batch jobs are also charged to the default repo if no repo (account) is specifically assigned to the job.

   Users can see their default repo in the NERSC Information Management (NIM) system on the Account Usage Summary page. This is the page that is displayed when you first login to NIM (or select My Account Usage from the NIM main menu). Look at the columns:

   • Dflt Now?: a Y indicates the default repo currently in effect
   • Base Repo? a Y indicates that this is the repo you have chosen (or were given) as your default repo. This will be your default repo unless your user balance is negative in that repo, in which case NIM will set another repo (if you have one) as your temporary default repo.

   To change your base default repo, select Change Default Repo from the Actions pull-down list in the NIM main menu.

   See also MPP Accounts and Charging.

4. HPSS Project Percents: Allocations of Storage Resource Units are awarded into project accounts called HPSS repos. If a login name belongs to only one HPSS repo all of its usage is charged to that repo. If a login name belongs to multiple HPSS repos its daily charge is apportioned among the repos using the project percents for that login name. Default project percents are assigned by NIM based on the size of each repo's storage allocation.

   Users can see their project percents on the Account Usage Summary page in NIM. This is the page that is displayed when you first login to NIM (or select My Account Usage from the NIM main menu). Look at the column Proj % in the HPSS repo display area.

   To change your project percents, select Change SRU Proj Pct from the Actions pull-down list in the NIM main menu.

How Project Managers can Manage their Users and Repositories

Project Managers should read A NIM Guide for PIs, PI Proxies and Project Managers for information on how to add and delete users, check balances, change user quotas, transfer resources and perform other account management functions.

Allocation Management

Repositories (both MPP and HPSS) that haven't used significant amounts of time (or SRUs) are adjusted at certain times by transferring a part of the unused balance to the corresponding DOE Office reserve. The following schedule will be used for allocation year 2009 (which runs January 13 2008 through January 11 2009).

• On April 14:
  • if usage is less than 10% remove 25% of the unused balance
• On July 14:
  • if usage is less than 25% remove 25% of the unused balance
  • if usage is less than 10% remove 50% of the unused balance
• On October 13:
  • if usage is less than 50% remove 25% of the unused balance
  • if usage is less than 25% remove 50% of the unused balance
  • if usage is less than 10% remove 80% of the unused balance
• On November 17:
  • if no usage close the repo and transfer balance to the reserve

What happens if a repo or user balance is negative

Accounting information is sent from the computational machines and HPSS to NIM once daily (in the early morning, Pacific Time). At this time actions are taken if a repo or user balance is negative.

If a repo runs out of time (or Storage Resource Units) all login names which are not associated with another active repository are restricted:

• On computational machines restricted users are able to log in, but cannot submit batch jobs, or run parallel jobs, or run lengthly interactive programs.
• For HPSS restricted users are able to read data from HPSS and delete files but cannot write any data to HPSS.

Login names that are associated with more than one repo (for a given resource -- MPP or HPSS) are checked to see if the user has a positive balance in any of her or his repos (for that resource). If he or she does have a positive balance in some repo (for that resource) s/he will not be restricted and the following will happen:

• On computational machines the user will not be able to charge to the restricted repo. If the restricted repo had been the user's default repo, a new (temporary) default repo is assigned to the user (it can be any one of the user's remaining repos). For more information see Running Out of Time.
• For HPSS, repos that are negative continue to incur SRU charges every day for each member that has HPSS files. This is because there is a daily charge for files stored within HPSS. Also, project percents are not adjusted when a repo goes negative. For more information see What happens if a repo or user SRU balance is negative?.

The PI and project managers receive an email notifying them that the repo is negative. They should send an email to their NERSC Allocations Manager stating how much time (or SRUs) the repo needs for the rest of the allocation year.

If and when the repo receives additional time (or SRUs), any users that have been restricted will be unrestricted within two hours of transferring new time to the repo.

Likewise, when a user goes over her/his individual user quota in a given repo, that user is restricted if s/he has no other repo to charge to. A PI or Project Manager can change the user's quota. See the instructions for changing user quotas.

Login Name Management

On most NERSC hosts, each user has a single login name, which can charge to one or more repos.

Your login name on a given host can be in one of the states decribed below. These states are registered in NIM and displayed on NIM's Logins by Host page. A case where NIM does not know the user's status on a host is if the user has had 3 or more failed login attempts. If this happens to you, call the Account Support group at 800-666-3772, menu option 2, or 510-486-8612 to have your password failures cleared.

Active

The usual state for active users in repos with a positive balance.

Active - to be removed

The user is still active on HPSS but is scheduled to be deleted from their last project at NERSC (HPSS staus only). See User Deletion Process.

Restricted - negative

This happens if either the user cannot charge to any repo. When a (login, repo) pair runs out of time:

• If the the user can still charge to some repo, the depleted repo is removed from the list the user can charge to (and the user remains active).
• If the user has no repo to charge the user is restricted. This means that the user's interactive computing is limited and no batch computing is allowed.

If more allocation is added to the repo, the user is unrestricted.

Limited - to be removed

The user has been restricted (the user's interactive computing is limited and no batch computing is allowed) in preparation for removal. See User Deletion Process.

Disabled - no Form

The user's account (username) has been created in a disabled state because the user has not yet faxed to NERSC the Computer Use Policies Form.

Disabled - inactive

The user has not logged in for the past 90 days and has been disabled. The user can no longer login to a system, but the user's account and files remain intact. This is checked at the beginning of every month and affected users are notified by email. To be re-enabled call the Account Support group at 800-666-3772, menu option 2, or 510-486-8612.

Disabled - not authorized

The user has no allocation on this machine (but has been registered with than machine so that the NERSC Global Filesystem can display user names and group names rather than uids and gids).

Disabled - to be removed

The user has been disabled in preparation for removal. See User Deletion Process.

Disabled

The user has been temprarily disabled. The user can no longer login to a system, but the user's account and files remain intact. NERSC Account Support staff will contact disabled users to re-enable them.

Archived

The user's permanent data has been archived to HPSS.

Crypt

The user's HPSS data has been moved to the HPSS crypt (not yet implemented; HPSS status only).

Deleted

The username has been removed from the host.

User Deletion Process

When a user is removed from a computational system

When a user is removed from one of the NERSC computational systems (but still remains authorized to use other NERSC resources) the following happens:

1. The user is placed in Limited status on the system and is notified by email about the removal process. The user retains the Limited status for one month. While in Limited status the user can still login to the system but cannot submit batch jobs or run long interactive jobs. While in Limited status the user is responsible for:
   • Deleting files that are no longer needed.
   • Moving personal files (not needed by any NERSC project) to their home site, to HPSS, or to some other NERSC computational system where the user is still active.
   • Ensuring that files needed by any project of which s/he has been a member are retained by the project.
2. After one month in Limited status the user is Disabled (can no longer login) and retains the Disabled Status for at least five months. During this time the user can be easily re-activated.
3. After five months of Disabled status the user's permanent files are eligible to be archived to HPSS, after which the username may be removed from the system.

When a user is removed from a project

PIs and Project Managers decide when a user should be removed from a project. Users who are removed from a project receive an email to that effect. If the user is still a member of other projects, the user is simply removed from the departed project repositories (and can no longer charge to them) but otherwise remains active at NERSC.

When a user is removed from their last project at NERSC the following happens:

1. The user goes through the user deletion process on each computational system for which they have an account (see above). The user remains active on HPSS during the month of limited status on the computational systems.
2. After one month the user is placed in Limited Status on HPSS and has read/delete access there. The user retains Limited status on HPSS for 5 months. While in Limited status the user is responsible for:
   • Deleting files that are no longer needed.
   • Moving personal files (not needed by any NERSC project) to their home site.
   • Ensuring that files needed by any project of which s/he has been a member are retained by the project.
3. After 5 months of Limited Status on HPSS the user is disabled on HPSS. The user's files are now eligible to be moved to the HPSS crpt where they will remain for at least 18 months before being deleted. This step has not yet been implemented.