Digital infrastructures supporting European research are complex computational environments in which heterogeneous user communities access distributed resources, multi-project environments, and services with different levels of criticality. In this context, identity and access management constitutes a primary cybersecurity control, as it reduces the risk of unauthorized access, obsolete credentials, privilege abuse, escalation, and limited audit capability. This Technical Report proposes a centralized Identity and Access Management (IAM) model for Proxmox VE clusters, based on Keycloak as the Identity Provider, on the logical separation of domains through realms, and on the local enforcement of authorizations through Proxmox groups and group permissions. The model was applied to two clusters housed at the server farm of the Institute of Informatics and Telematics of the Italian National Research Council, dedicated respectively to the SLICES-RI and RESTART projects. The main contribution is a replicable methodology for virtualized research infrastructures. The model separates identity, application domain, and operational authorization, connecting them through an explicit and documentable privilege-assignment chain. The report also frames this model in relation to Directive (EU) 2022/2555, known as NIS2, and its Italian transposition through Legislative Decree No. 138 of 4 September 2024. This framing does not constitute a declaration of regulatory compliance; rather, it highlights the consistency of the solution with technical measures for cyber risk management, access control, and accountability.
A Methodology for Centralized Identity and Access Management toward Cybersecurity and NIS2 Readiness in European Research Infrastructures
Andrea De Vita;Filippo Maria Lauria;Abraham Gebrehiwot
2026
Abstract
Digital infrastructures supporting European research are complex computational environments in which heterogeneous user communities access distributed resources, multi-project environments, and services with different levels of criticality. In this context, identity and access management constitutes a primary cybersecurity control, as it reduces the risk of unauthorized access, obsolete credentials, privilege abuse, escalation, and limited audit capability. This Technical Report proposes a centralized Identity and Access Management (IAM) model for Proxmox VE clusters, based on Keycloak as the Identity Provider, on the logical separation of domains through realms, and on the local enforcement of authorizations through Proxmox groups and group permissions. The model was applied to two clusters housed at the server farm of the Institute of Informatics and Telematics of the Italian National Research Council, dedicated respectively to the SLICES-RI and RESTART projects. The main contribution is a replicable methodology for virtualized research infrastructures. The model separates identity, application domain, and operational authorization, connecting them through an explicit and documentable privilege-assignment chain. The report also frames this model in relation to Directive (EU) 2022/2555, known as NIS2, and its Italian transposition through Legislative Decree No. 138 of 4 September 2024. This framing does not constitute a declaration of regulatory compliance; rather, it highlights the consistency of the solution with technical measures for cyber risk management, access control, and accountability.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
