For the OSG Accounting system Gratia, there is one additional data item
that is needed in the GRAM audit record that allows for the complete
identification of the individual using a grid resource.

The log currently captures this data related to the identity of the user:
 - subject_name (DN of the User)
 - username (local UNIX id)

In addition, the Gratia accounting system also needs to identify the VO,
VO groups and Role a grid user is accessing the resources as.  While this
information is not available on a standard grid proxy, it is available on VOMS
generated proxies as extended attributes in the form of an FQAN (Fully
Qualified Attribute Name).  

We had some preliminary discussions many months back regarding this.
Since we use a callout (PRIMA) to handle the authorization request, this
callout
(for both ws and pre-ws) handles the reading of the extended attributes in 
the proxy, if available.  At that time, we were asking for the capability to 
pass that data (FQAN) back, in addition to the username, so that it could be
available in the GRAM audit.  We would like to pursue this approach further.

Alternatively, can GRAM read the proxy certificate for the extended attributes
and make that data available in the audit record.  From my perspective, which
may be somewhat slanted, it is the DN/FQAN that fully identifies the grid
user.

John Weigand