User Guide

Basics and Terminology

HEXAA is a Virtual Organization (VO) manager system that serves the authorization and group management needs of inter-organizational collaborations.

Every VO has a membership, which is usually composed of invited/selected/subscribing people from several brick-and-mortar organizations.

Within the VO there can be any number of roles. In HEXAA the role structure is flat. Users might belong to several roles or no roles at all. Also, in a VO there are permissions. Permissions can be assigned to roles, and all the role members have them.

The permissions belong to the services. In a HEXAA deployment there are usually several services (for instance all SPs from eduGAIN). Permissions might be bundled together into permission sets for ease of administration.


A HEXAA user can act in the four different capacities below.

  • A user can be a VO member in any number of VO-s. The member of VO may view information about the VO and edit its own profile attributes.
  • Any user can start its own VO, hence becoming a VO manager of that VO. A user can become a manager by invitation also. A VO manager can administer the roles and membership and also assign the permissions delegated by the services.
  • A user might successfully claim the administrative powers of a service known to the HEXAA deployment and so become a Service Manager. Similarly to the VO managers, the manager of a service can invite additional managers. Service Managers define permissions and delegate those permissions to VOs so that the VO managers can assign those to roles.
  • HEXAA admin, the platform administrator. A powerful capacity that belongs to the owners of the HEXAA deployment. Only the HEXAA admin can add the attribute specifications known to the system, see all users and services.