MPCDF SelfService - Help

The MPCDF SelfService is a platform for MPCDF users to manage their user accounts and external guests. It is the successor of the "roaster" system and extends it by various self-management functionalities. Guests are not able to log in to the platform but can use it to accept invitations and reset their passwords.

MPCDF users invite guests to let them gain access to specific services provided by the MPCDF in order to let them participate in projects or share files. Guests use the credentials they chose when registering on this platform to log in to those backend services. Access to the services may be granted or revoked on a per-service basis at any point.


The services available on the SelfService platform are:

DataShare (https://datashare.mpcdf.mpg.de)
DataShare is a file-sharing platform based on the open-source collaboration suite OwnCloud. Regular users are granted a storage quota of 100 GB. As a guest user you will not have your own quota but share your inviter's DataShare storage.

GitLab (https://gitlab.mpcdf.mpg.de)
GitLab is a web-based open-source DevOps lifecycle tool that provides a Git-repository manager with wiki, issue-tracking and CI/CD pipeline features.

User Manual

This manual details how MPCDF users can administer their own accounts and manage guest users

MPCDF users may log in to the platform by providing their Kerberos account name and password of their "Erstkennung". Login using the "Zweitkennung" is not supported yet. Guests are not able to log in. Please make sure to use the logout button at the end of your session to prevent unauthorized access to your account.

Services

Here, the users may subscribe themselves to MPCDF services. For technical reasons it is not possible to unsubscribe from a service.

My Data

This page shows the user's data such as room and telephone number. It is meant to provide an easy way for the user to check their details for correctness. At this point it is not possible to change those values yourself and the MPCDF support needs to be contacted in case of any errors.

New invitation

Here, an external person can be invited to use one or more MPCDF services. Note that persons with an MPG account should apply for an MPCDF account of their own and cannot be invited as guest users.

The invitation process

To invite someone it is necessary to provide the guest's full name and email address. An optional custom message to the guest can be included. At least one service must be selected from the list shown. Note that this selection cannot be changed until the guest has accepted the invitation. If a wrong selection was made it is best to revoke the invitation and send a new one. The inviation is valid for 7 days and the guest account expires after 2 years if not prolonged by the inviter. The inviter receives a confirmation email when the invitation is sent and once more when it has been accepted.

In case the guest is invited to use the DataShare service, the guest is not assigned a storage quota but instead uses the quota of their inviter. The inviter can then share dedicated folders with the guest to exchange data and share storage space.

The inviter is responsible for any content uploaded by the guest. It is therefore important to make sure the correct email address is used during the invitation process. As stated in the Terms of Use signed by the inviter when their MPCDF account was created, the MPCDF reserves the right to withdraw access to their services without any notice or explanation if the uploaded content violates the MPCDF Terms of Use or the law.

Accepting the invitation

The guest receives an invitation email with a link that contains a token associated with the invitation in the database. Once the guest clicks that link a page is opened where the guest can check whether their name is spelled correctly and change it if not, choose a username of their liking, and set a password for their new account that needs to be used to log in to the backend services. The guest is presented with the Terms of Use for Guest Users and has to accept them before the account can be activated. It can then take up to 20 minutes for the backend services to register the new account.

Bulk invitation

Multiple guests can be invited using this option. A CSV file containing the invitees' details may be uploaded here. The uploaded file needs to meet these requirements:

  • Must be a comma-separated CSV file
  • Must have exactly three columns in the shown order: first name, last name, email address
  • Must have no empty values
  • Must be plain-text, MS Excel sheets are not supported
  • Names must consist of letters only

After uploading the file the invitees are listed for review and may be assigned one or more services they should be allowed to use. We recommend also specifying a keyword (such as a project name) so that the invited guests may be easily identified later on. Optionally, a message may be included that will get prepended to the individual invitation email that each invitee receives. This is in contrast to the invitation of a single guest where the inviter's message gets appended to the email. The reasoning for this is that bulk imports usually imply a bigger event such as the formation of a project and the inviter needs to make an important announcement to the invitees.

After accepting the disclaimer and submitting the form a summary of succeeded and failed invitations is shown. An error message explaining what went wrong is shown next to each failed invitation. An invitation may fail for example due to the invitee already having a regular MPCDF account. In this case the user should log in to the SelfService and opt in for the service themselves. The list of failed invitations may be downloaded as a CVS file so that a corrected version can be uploaded if needed.

If a guest already exists and has the importer as inviter the SelfService ensures that the guest gets assigned all services specified druing the import while retaining any additional access rights already present.

Guest list

This page lists the guests the user has sent invitations to. The list contains the guest's full name, username, email address, the date of invitation, an "Active" flag, and a button called "Details and Edit" that leads to a dedicated page for editing this guest.

The "Active" flag shows whether the guest is able to log in to any backend services. It may show "No" either because the guest has not accepted the invitation yet or because the guest account has been (temporarily) disabled by the inviter on the guest edit page. If the guest account is disabled, login to the backend services is not possible regardless of what services are assigned to the guest.

The list is sortable by any text-based column through clicking on the column headers. It can be searched with the search function of the browser which in many cases is invoked with the key combination "Ctrl-F".

Edit Guest

This page shows all details of the individual guest. These are: full name, email address, date of acceptance of the Terms of Use, account expiry date, and date of invitation.

If the user has not accepted the invitation yet, only two more buttons are shown:

  • "Re-send invitation" to send another invitation in case the original was lost or has expired.
  • "Revoke invitation" to delete the guest account fully and invalidate the invitation.

After the guest has accepted the invitation, the following buttons are shown instead of the previously mentioned ones:

  • A "Save" button underneath a list of checkboxes for backend services. The user will gain access to the ticked services and lose access to the unticked ones but will not be notified about the changes.
  • "Prolong guest account" allows the user to extend the expiry date of the guest account by two years from the current date.
  • "Send password reset email" can be used in case the guest forgot their password.
  • "Disable guest account" revokes the guest's access to any backend services regardless of the services assigned to them.

Guest Manual

This manual decribes the functionalities accessible to MPCDF guests

Once you received an invitation from an MPCDF user you have 7 days to go to the provided link and register as a guest user. After 7 days the link expires and your data is deleted from the database. The link also expires after a successful registration. If you have lost your invitation mail please ask your inviter to resend it.

On the registration page you have the chance to correct any spelling mistakes in your name. You are provided with a preliminary username that you can change to your liking. Note that any username you choose will always start with 'g-'. For the username you may use any latin character and arabic numbers, for your full name a range of European characters and dashes are allowed.

You will need to set a password for your account. Please consult our password policy for password requirements and make sure you use a password that cannot be guessed easily. Also note that reusing existing passwords is not allowed since this makes your account very vulnerable to password reuse attacks.

After you have accepted the Terms of Use you can activate your account. Please note it can take up to 20 minutes for your account to be synchronized to the backend services. After this period you will be able to log in to the services you were invited to use.

In case guests forget their password they can request a password reset email using the according link on the start page. Alternatively, the inviter can send such an email via the guest edit page.

Privacy and Cookies

We use cookies for two reasons:
  1. To guarantee your browsing session does not end unless you click the logout button. This lets you stay logged in even if the browser is restarted.
  2. To protect your session from CSRF attacks. This ensures that only data that actually comes from your requests is accepted by our platform. No third party can forge fake input to your forms.
We do NOT use cookies to track any of your browsing behavior.

General FAQ and Troubleshooting

Why would I need this?

>
Two-factor authentication (2FA) protects your account if your password gets stolen and is required if you want to use e.g. the gatenull machine to access the MPCDF network from remote. As of Nov. 11th 2020 all SSH gate machines will require 2FA.

How does it work?

>
You create (enroll) a token here and scan the resulting QR code with an OTP smartphone app of your choice (e.g. Google Authenticator or FreeOTP). The app then shows you a new one-time password (OTP) every 30 seconds. This OTP is the second factor that you need to provide additionally to your password on services that are 2FA-protected.

How does this improve the security of my account?

>
Recently there has been a notable increase in attacks exploiting leaked credentials. If you have 2FA enabled attackers can't abuse your account even if they know your password since they still don't have your phone.

Which MPCDF services support/require 2FA?

>
This list will grow longer in the future
Service2fa
SSH login on gatenull.mpcdf.mpg.derequired
SSH login on (afs)gate.mpcdf.mpg.denot yet supported (required after Nov. 11th 2020)
VPNoptional (required after Nov. 11th 2020)
SelfServicerequired after token enrollment

What if I don't have or want to use a smartphone?

>
You can instead order a hardware token from us in the form of a key-chain token or smart card. Alternatively, you may register a hardware token you already own by entering its seed during enrollment.

What if I lose my token?

>
You will have the option to register an external e-mail address and/or phone number as a backup mechanism after activating 2FA. Otherwise personal identification through our support team is necessary to regain access to 2FA-secured services.

Users

Please check if you are actually subscribed to the service you cannot access by logging in to the SelfService and navigating to "My Account > Services". You can grant yourself access to the services there. If you also cannot log in to this platform or any other MPCDF service then your password or account may have expired. If you find that you are already subscribed to the service you are trying to log in to please contact support.

Guests

Your account may have expired or have been deactivated by your inviter. Your inviter can also withdraw access on a per-service basis so you might still have access to other services. It is also possible that your inviter's user account has been deactivated. In this case you will need to find an MPCDF user that is willing to "adopt" your orphaned account.
If you already had your guest account before the switch to the new SelfService platform you may have not reset your password in time or something went wrong when you did. Please reset your password here and try logging in to the backend services again.

Users

If you also cannot log in to any other MPCDF service then your password or account may have expired. Please contact support.

Guests

Currently, guests cannot log in to the SelfService platform. You can log in to the backend services directly. If you have questions about your account please contact support.

Users

Please contact support.

Guests

Please reset your password here.

Users

Please reset your password here.

Guests

Please ask your inviter to prolong your account.
Please contact support to have your guest account transferred to a different "inviter".
You can have another regular MPCDF user invite you as a guest with a private email address. However, note that it is not possible to create a guest account with an email address that used to be associated with your regular user account. You will also not be able to access any data associated with your regular user account from your guest account.
It is not possible to grant access to resources that belong to a locked user. Therefore, to ensure that a person always has access to certain resources even if the person's regular account is locked please create a dedicated guest account with the appropriate access rights. Please note that transferring resources between the two accounts or accessing one from the other is not possible due to security considerations. Please do not ask support for exceptions as requests will not be considered.