MACE-Dir WG meeting 5-Oct-2009

Access Control/Privilege Mgmt within a federation context.

• what attributes are being used to make access decisions?
• EPTID being used initially in some cases
• EPPN better when?
• what about asserting attributes about disabilities?
• online documentation reflecting common practices about various attributes would be useful
• attribute definitions more amenable to managers (v. techies) would be useful

Texas A&M is looking at scoped affiliation and eduCourse membership for their uses. Entitlement discussions are proceeding with vendors. Releasing every privilege associated with a user, to an app that only needs a subset, is something that gives them pause...

USC uses opaque identifiers whenever possible, but is evaluating its utility since some apps would benefit from a non-opaque id (e.g. wikis).

The terms "employee" and "staff" differ across cultures, both international and institutional, and thus some work needs to be done to accommodate these differences with more precise descriptions in the eduPerson spec and related documentation. Given the variance in the usage of these terms, being too simplistic and building access policies on these attributes would not be the right approach for many use cases...

When enabling decisions about eligibility (or entitlement) for services is the goal, the more important issue is for all concerned in a particular usage to agree on the label definitions for their particular purposes. "Affiliation" usually doesn't meet this goal.

Anecdotally, some vendors end up just giving up and stop checking for authorization rather spend too much time trying to solve this problem.

=> Collecting and documenting relevant experiences and the types of things that campuses need to think about in order to solve these sorts of problems was suggested as a useful body of work for MACE-Dir going forward.

Exception handling was raised as an issue that campuses need to think about...

A large vendor providing information mainly for student loan and transcript services has been working with some campuses in InCommon. This pilot is making good progress, and is using local student identifiers instead of SSN (as was the case in the past). EPTID is a possibility, but more work needs to be done with them.

Brendan reviewed a recent survey done by NISO (National Information Standards Organization) about the use of institutional identifiers in the library space. www.niso.org

The InCommon-Library group has a subgroup working with vendors (primarily in the US to begin with), and recommendations are available on their wiki page. https://spaces.internet2.edu/x/8oU0

The Tao of Attributes workshop last week, sponsored by GSA and NIH, was referenced. A schema registry is one idea brought up, that might turn into a Kantara working group.

http://middleware.internet2.edu/tao-of-attributes/