MACE-Dir I2MM session: 27-April-2009

MACE-Dir Working Group Session
2009 Internet2 Spring Member Meeting
Monday, April 27, 2009

**Attending**
Brendan Bellina, University of Southern California (chair)
Tom Barton, University of Chicago
Debbie Bucci, NIH
Scott Cantor, The Ohio State University
Rob Carter, Duke University
Steve Carmody, Brown University
David Chadwick, University of Kent
Tom Dopirak, Carnegie Mellon
Emily Eisbruch, Internet2
Ken Forstmeier, Penn State University
Tom Golson, Texas A&M University
Roland Hedberg, Umea University
Leif Johansson, Stockholm University/SUNET
IJ Kim, Internet2
Thomas Leggenhager, SWITCH
Lucy Lynch, ISOC
Max Miller, Penn State University
Steve Olshansky, Internet2
Shilen Patel, Duke University
Michael Pelikan, Penn State University
Paul Riddle, University of Maryland, Baltimore County
Etan Weintraub, Johns Hopkins University
Dean Woodbeck, Internet2 (scribe)

**Completed Items**

Survey on use of groups (Etan Weintraub)
https://spaces.internet2.edu/display/macedir/Survey+on+Group+Usage

Survey on usage handling of test/training/admin accounts (Joy Veronneau)
https://spaces.internet2.edu/display/macedir/Survey+on+Test+Identities

Relocation of platform-specific eduPerson LDIFs to Internet2 wiki (Etan Weintraub, Steve Olshansky)
https://spaces.internet2.edu/display/macedir/LDIFs

**Active Items**

• Analysis of Local Person Attributes
• Survey of use of email attributes
• Survey of use of name attributes
• Survey of use of commercial IAM products

**Open discussion topics**

• Levels of Assurance
o Set up eduPersonAssurance attribute a year ago. Not sure of use
• Access/privilege mgmt
• Kuali and other efforts
• Expansion into K-12 space
• Organizational identifiers
o LMS
o Libraries

**Group Usage Survey**

There were 22 responses to the survey regarding the use of groups. Here is a summary of the results.

Directory products in use (# of respondents in parenthesis):
1. Active Directory (16)
a. Most that use AD also use something else
2. Open LDAP (12)
3. Sun (10)
4. eDirectory (5)
5. Other (4)
6. Oracle (3)
7. Fedora (1)
8. IBM (1)

If you use more than one product, are you synchronizing them?
1. Multiple and synching (13)
2. Single product (5)
3. Multiple and not synching (4)

How are you synching?
1. Custom (9)
2. Novell IdM (3)
3. Sun IdM (2)
4. Grouper (1)
5. IBM TDI (1)
6. MS ILM (1)
7. Oracle IdM (1)
8. slurpd (1)

Are the standard object classes sufficient for your needs?
1. No (14)
2. Yes (6)
3. Not sure (1)

What type of groups are you using?
1. Static (11)
2. Static and dynamic (9)
3. Dynamic (1)

How do you use groups?
1. AuthZ (3)
2. Release attributes for application to determine authZ (3)
3. Base authZ on attributes (2)
4. All of the above (9)

How many groups do you have in LDAP?
1. 100 - 1,000 (6)
2. 1,000 – 10,000 (5)
3. less than 100 (4)
4. 10,000 – 100,000 (3)
5. more than 100,000 (3)

Do your group memberships include “external” people?
1. No (15)
2. Yes (6)

Can users create groups themselves?
• Most respondents require central IT or designated admins to create groups, or at least create a root tree for the groups
• Some allow creation of groups directly by users with some limitations (naming, location, membership for example)
• Few allow complete freedom for users to create groups

How is removal of deleted users handled?
• Most do it manually
• Some have Grouper or the LDAP directory/process handle it.

How many members does your largest static group have?
1. Less than 1,000 (7)
2. 10,000 – 100,000 (6)
3. more than 100,000 (6)
4. 1,000 – 10,000 (2)

Do you have groups that mirror affiliations?
1. Yes (14)
2. No (7)

Do you maintain group memberships based on data provisioned from other systems of record?
1. Yes (16)
2. No (5)

Do you support protected group members (not everyone can view the membership)?
1. Yes (12)
2. No (9)

How do you handle group naming policy?
• No common ground across the responses
• Some methods
o Institution prefix for organizational groups. Username prefix for user-created groups
o Project-based prefix naming
o Most do their best to make names descriptive, yet short
• Most users can maintain the names of the groups they create

Can users manage and change their group memberships on their own?
1. Yes (11)
2. No (10)

Are people allowed to create groups that they are not members of?
1. Yes (13)
2. No (8)

What tools do you want?
1. Better provisioning (7)
2. Better UI (5)
3. Auditing system (3)
4. Better reporting tools (3)
5. Server-side nesting expansion (1)
6. Tools to expose roles as groups for AuthZ (1)

What other issues do you have with group management?
• Integration with applications
• Management of groups
• Speed of interaction with dynamic groups
• Rebuilding of semi-dynamic groups is not easy and can be time-consuming

Do you encourage group reuse where applicable?
• No (14)
• Yes (7)

----------
Comments and discussion

There was considerable discussion about the survey findings and next steps. The consensus was to review the survey and determine which schools seem most willing to speak about their experiences, based on the length and detail included in their responses. The next step would be to approach those schools about developing use cases. There was also discussion about identifying common issues and writing a document or white paper; or updating the current best practices paper:
http://middleware.internet2.edu/dir/groups/internet2-mace-dir-groups-best-practices-200210.htm.

There was some discussion about waiting to revise the document to allow for additional implementations of Grouper to come to fruition. Doing the revision sooner, however, may help schools considering implementing groups, or that are in the early stages of deployment.

Groups -- There seems to be growing momentum with Grouper. Some of that may not come through on the survey, because much of the action with Grouper is not with LDAP. Even if institutions aren’t adopting Grouper at this point, the momentum may lead them to wonder why they aren’t considering group management.

One of the advantages to updating the best practices document, and for developing use cases, is to help identify issues to consider, potential roadblocks, different approaches, providing for auditability, and defining the roles of central IT and departments. This also provides an opportunity to start talking about levels of assurance and access management.

The working group also discussed handling the oversight of groups by central IT, particularly the management or elimination of groups when the person who created them leaves the institution. Policies and practices like naming conventions may help. There was also a discussion about privacy issues, particularly related to FERPA and gaining a student’s permission to be added to a group.

The discussion also included how the use of attributes relates to FERPA and a student’s ability to control the release of attributes. The Swiss federation has created and deployed uApprove, a method for allowing a user to give (or deny) permission to release attributes to applications. Early indications are that using uApprove – giving a student the ability to control the release of attributes – would comply with FERPA, as long as there is a log of the events.

**Next Meeting**

The next working group meeting is scheduled for May 18, 2009 at 4:30 PM EDT (GMT-4)