> > Using my own certificate for DQ2 as advised by other ATLAS Tier-2 > sites. Should ask again about what certificates should get used. How > do you differentiate between a role and a person? Somethings should be > automated which would be different. > I'm not clear exactly what the question is here ... but machines should have host certificates. There should be documentation on the DOEGrids web site on getting a host certificate. The way VOMS (the user registration database for the VO) works, a user can be a member of multiple groups and have multiple roles. When you execute the voms-proxy-init, the returned attribute certificate contains all the groups you are a member, but only the requested role(s) (assuming you are authorized for those roles). That attribute certificate is then included in your signed proxy certificate that is delegated to the Compute Element. The PRIMA module in the CE takes apart the proxy and attribute certificate and provides the interface to the GUMS server. The GUMS server uses that information along with the site configuration parameters to assign the appropriate UID and GID values. These values are passed back to PRIMA and back to the CE for use in executing the batch job. Sorry if you already knew all this .... BC