MACE-Dir Call 21-September-2009

**MACE-Dir Call 21-September-2009**

**Attending**

Brendan Bellina, USC (chair)

Keith Hazelton, U. Wisconsin - Madison

Etan Weintraub, Johns Hopkins U.

Michael Pelikan, The Penn State U.

Ann West, Internet2/Educause

Tom Barton, U. Chicago

Paul Hill, MIT

Todd Piket, Minnesota State Colleges and Universities

RL "Bob" Morgan, U. Washington

Steve Olshansky, Internet2 (scribe)

**Next call 19-October-2009 4:30 PM EDT**

(there will be no call on 5-October due to the Internet2 Member Meeting)

**New Action Items**

[A] (Keith) will follow up on the REFEDs list conveying the sentiments expressed on the call today about the ePSA usage comparison.

**Carryover Action Items**

[AI] (Mike) review the LocalDomainPerson survey results and the Shibboleth attribute naming documentation with an eye toward useful attributes to generalize, as a reference for naming guidelines and base attributes to propose.

http://middleware.internet2.edu/dir/localsurvey.html

http://middleware.internet2.edu/dir/docs/internet2-mace-dir-localdomainperson-200505.html

[AI] (RL "Bob") will craft a survey on use of the mail attribute and possible need for additional email attributes.

[AI] (Brendan) will poll the mailing list for feedback on the use of name fields, and whether they have had the need to extend eduPerson locally with additional name fields.

[AI] (Brendan) will coordinate with the leaders of the Educause IdM Constituent Group, toward the goal of polling that group along with MACE-Dir for feedback on the use of commercial and open-source IdM products.

**Discussion**

1. Keith led a discussion of eduPersonAffiliation values used with federations and the document sent to the list Sept 17 "Fwd: [refeds] Comparison of eP(S)A values"

The hope was for some degree of consistency in usage. Feedback to the document authors from MACE-Dir would be welcomed.

There was discussion about the distinction between attributes shared locally, and what would be shared externally. There was agreement that in most cases there is no need for attributes to be shared externally, but rather entitlement values would suffice on a per-resource or per-vendor basis.

It was noted that vendors normally control entitlement values, and would negotiate with their customers as to how the determination is made about which users would qualify to have that value released for access to the service in question. The vendor in many/most cases would not need to know the identity of the requesting user, only looking for the entitlement value. This being the case, is there a strong driver for defining the various roles in a way that all campuses would adopt?

Since there is no mechanism to enforce the usage of eduPersonAffiliation, perhaps the value from MACE-Dir would be in clarifying the generally recommended usage of the various affiliation values to the extent possible, understanding that local definitions will vary as needed and trump the general usage.

It was noted that the discussion of the term "staff" in the document noted the difference in usage between the EU and US, raising the issue of how best to address these sorts of cultural differences.

[A] (Keith) will follow up on the REFEDs list conveying the sentiments expressed on the call today about the ePSA usage comparison.

2. Planning/Review for upcoming Internet2 Member Meeting MACE-Dir wg session Monday 5-October-2009, 8-9:00 AM CDT

http://events.internet2.edu/2009/fall-mm/agenda.cfm?go=session&id=10000848&event=980

Suggestions for discussion topics are welcome. Please discuss on the mailing list.

3. RL "Bob" discussed a recent item that arose about dynamic account creation on a vendor site for students enrolled in a class, and how to handle (i.e. de-provision) students who subsequently drop out of the course. Some vendors are interested in a way to tackle this circumstance, to remove access from those departing students.

This led to a broader discussion of de-provisioning resource access in general, including for those housed on campus. In many cases this is handled via LDAP groups.

4. Next call 19-Oct (there will be no call on Oct 5 due to the Internet2 Member Meeting)