*MACE-Dir Conference Call* June 23, 2003 *Participants* Keith Hazelton -- Wisconsin (chair) Tom Barton -- Chicago Renee Frost -- Michigan/Internet2 Michael Gettes -- Duke Diego Lopez -- RedIRIS Bob Morgan -- Washington Steve Olshansky -- Internet2 Todd Piket -- MTU Barry Ribbeck -- UT-Houston Bob Talda -- Cornell Art Vandenberg -- Georgia State Ann West -- EDUCAUSE/Internet2 Nate Klingenstein -- Internet2 (scribe) *Discussion* Organizational Structure in the DIT The call began as a continuation of the "department object needed" thread on the MACE-Dir mailing list, initiated by David Bantz from the University of Alaska, who was unable to make the call. The community saw the discussion as an opportunity to begin an effort at capturing some of the wisdom in the community surrounding the ways of representing organizational structure within an LDAP directory. The primary question to be asked is how the benefits of various means of representing the complex and shifting system of a campus within a directory relate to the costs they impose on directory administrators and maintainers. There are also secondary questions about what should happen to the effort to define eduOrg, which was intended to lead eventually to work to define an eduOrgUnit object with more of a departmental-level focus. It's unclear what may be missing from an eduOrg and the scenarios it's intended to address that would be gained by implementation of eduOrgUnit. Michael cautioned that it's far more difficult to represent structure at a level that's functional and useful in a standard way across an organization. He opined that there are substantial risks to being underdetermined if the structural representation is overly generic, and if it's too specific, the definitions and people within may shift too frequently to maintain. Benefits & Costs The ways discussed generally consist of creation of a container object for non-person objects which represent the organizational structure at some granularity which are then used as the orgDN or orgUnitDN of person objects. These can be used to drive authorization information for access control decisions, and can also be used for provisioning. This information will be useful in those two categories generally in situations where services and privileges are granted to everyone in the department, etc. Tom says he's been a flatworlder when it comes to philosophy, and still feels that is a fine architecture. He mentioned one "marginal reason" in favour of putting organizational structure in the DIT: the capabilities of the DSA can be leveraged, meaning less reproduction of functionality in applications. He also made the observation that mapping people to the structure is independent of mapping out the structure itself. Another spot where benefits could lie is in the hierarchy structure that a DIT naturally imparts. Rolling up and down the tree and the ability to utilize inheritance and other things is very intriguing, and could factor into RBAC in interesting ways. This is largely unexplored territory, however. However, everyone saw a substantial cost in what it would take to upkeep these structures relative to how frequently campuses change. Colleges and departments appear, disappear, merge and fuse in strange ways, and people flow relatively freely across these boundaries. Too much evolution in the DIT is a painful thing. Where is the Natural Tree? There are many different types of tree-like structures in a campus that a directory structure could be based off of. Accounting was mentioned as having a nice hierarchy, but this structure is generally artificial as far as the academic tree goes, while the academic tree is often littered with varying conventions and structures throughout. Barry observed that "org charts have the shortest life-span of anything out there shy of fruit flies." Michael responded that we may want to be careful about the term organizational structure if we're in fact representing some other tree. After some discussion, it seemed to emerge that the permanence and monolithic structure of the tree was important, and while odd things happen on campus, the flow of money is a very difficult thing to alter. [AI] Keith recruited himself, Art, Bob, Tom, and Michael as volunteer case studies to write up current thinking and implementational reality at their campuses. *Action Item* [AI] Keith recruited himself, Art, Bob, Tom, and Michael as volunteer case studies to write up current thinking and implementational reality at their campuses.