MACE-Dir WG call - March 26, 2007

MACE-Dir WG call
March 26, 2007

*Participants*
Michael Gettes, Internet2 (chair)
Paul Hill, MIT
Brendan Bellina, USC
Etan Weintraub, Johns Hopkins U.
Keith Hazelton, U. Wisconsin-Madison
Tom Barton, U. Chicago
Renee Frost, Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

New *Action Items*
[AI] {Tom} will talk to the Identity Management steering committee about possible bi-weekly conference call and meeting facilitation, and will report back to the group on the next WG call.
[AI] {Brendan} will review archives related to eduAccount and search for interested folks, eventually arranging a call focused on formulating the right questions to target a solution.

Carry-over *Action Items*
[AI] {Etan, Bob, and Victoriano} will begin to draft ideas surrounding the use of vocabulary in eduPersonAffiliation and eduPersonEntitlement. (13-Mar-07)
[AI] {Scott} will talk to {Ian Young} about soliciting proposal for a library patron. (12-Mar-07)
[AI] {Steve C.} will connect the UK folks with the mailing list and ask {Michael Kim) at Ovid-Silver Platter to post there. (12-Dec-06)
[AI] {Keith} will post a thread with discussion on members, and {Scott} will pass this on to folks in the UK. (12-Dec-06)
[AI] {Keith} will draft a document covering registered MACE entitlement values. (11-Sep-06)

Future *Agenda Topic*
– c (country) attribute (c.f Tom Scavo's email, 22-Jan-07)

*Agenda*
1. MACE-Dir & EDUCAUSE – how might/should we work together on IdM issues?
2. eduAccount (c.f. Quanah Gibson-Mount's email, 20-Feb-07)

*Discussion*

-MACE-Dir & EDUCAUSE-
{Tom} said most folks agree that the objective is to more fully engage with constituents affiliated with EDUCAUSE. The question is how or where MACE-Dir should be involved in these efforts. What is the best way to shape the activity in a way that is conducive to this extent? Is the intent to gain traction in terms of participation or buy-in?

{SteveO} recommended that they pay particular attention to the perspective of smaller schools, who may need a small-scale mechanism for better dispersion of the Identity Management model. One such example was the NMI-ETR project <http://www.nmi-edit.org/etr.cfm>.

{Tom} wondered if the model and proposed solutions even came close to addressing the major pain points of small schools. Here is where it will be important to not focus on getting the model out, but to ensure that the current issues and new problems are captured. There are many campuses who do not participate actively on the mailing list, perhaps because the central items discussed do not strike a chord at their scale. A common goal is to increase engagement of the community, at all levels. The fundamental issue is to make sure the path-breaking efforts are within the perception of what the larger community think it ought to be.

{Michael} asked if it was necessary to have a formal meeting, and if it was more effective to have a verbal report, rather than written. What should the frequency be? Annual or more often?

{Tom} mentioned the EDUCAUSE Identity Management steering committee mailing list, which also has a wiki for use. [AI] {Tom} will talk to the Identity Management steering committee about possible bi-weekly conference call and meeting facilitation, and will report back to the group on the next WG call.

-eduAccount-
The majority of the Working Group call centered on a recent surfacing of the eduAccount topic (c.f. Quanah Gibson-Mount's email on 20-Feb-07) The question: Is eduAccount a good thing?

While at first glance the separation of accounts seems to make sense, the reality is that applications simply do not work that way – neither vendor nor home-grown applications. {Tom} commented that common practice these days addresses accounts vs. people.

{Paul} recalled there being a one-to-many mapping of people accounts. Auditors like to see all the accounts a person has and which entitlements are associated with each account, but have always acknowledge that they have multiple accounts. However, the modeling in the system was less than adequate, and visibility was poor due to the low number of folks having access to that different system for visibility. It is possible to see all the accounts a person has in the metadata system, but this has not yet been applied to LDAP. Long term service provisioning hopes for to allow for viewing of a) entitlements, b) how many email accounts one has, c) where one has files, and d) what services/software one has access to.

The model for provisioning and deprovisioning needs to become more transparent. For example, one challenge is that the business office may wish to deactivate an account, which may not really be their goal. The intent may be to change the authorizations of a person leaving that office, but it may be the case that the person is only moving to another department and actually needs to continue with an active account. While some assign several accounts to any one person licensing and reasons of simplicity point to an individual having a single account whereby the authorizations are then managed. Another challenge is that many applications still cannot tie into separate AuthZ easily. Also, there is the complexity of someone whose authorizations are contextual to how he or she is working at that point in time. R1 institutions are aware of the problems, while others are only beginning to learn.

{Paul} suggested a better way to explain it was to come from an audit angle, as opposed to an authentication angle. {Tom} said it would be useful to establish an activity or process in the context of MACE-Dir to investigate various practices, which will hopefully give shape to who does what, regarding EDUCAUSE and MACE-Dir.

How should the data be collected and who should do the collecting? While EDUCAUSE has a broad base of constituents, the Internet2/MACE-Dir community will be able to provide a more technical response. Additionally, it will be important to consider where the report is posted and how the document is written. A low-technical audience may not give it too much attention if it is not presented in a form that interests them enough to pass it along to the qualified technical reader. [AI] {Brendan} will review archives related to eduAccount and search for interested folks, eventually arranging a call focused on formulating the right questions to target a solution.

The next MACE-Dir Working Group call will be held on Monday, April 9, 2007 at 4:30pm EDT.