MACE-Dir call 8-Sep-08

**MACE-Dir call 8-Sep-08**

**Attending**
Etan Weintraub, Johns Hopkins (stand-in chair)
Joy Veronneau, Cornell U.
Scott Cantor, The Ohio State U.
Todd Piket, Minnesota State Colleges and Universities
Paul Hill, MIT
Tom Barton, U. Chicago
Steve Olshansky, Internet2 (scribe)

**New Action Items**
[AI] (Etan) will incorporate feedback and revise the survey ASAP, and
work with SteveO to get it into SurveyMonkey.

[AI] (Joy) will work on creating a test account survey in the wiki.

[AI] (Scott) will draft a brief description of the user consent-based
attribute release models use case and send it to the list.

*Carryover Action Items*

[AI] (Brendan) will poll the mailing list for feedback on the use of
name fields, and whether they have had the need to extend eduPerson
locally with additional name fields.
[AI] (Brendan) will coordinate with the leaders of the Educause IdM
Constituent Group, toward the goal of polling that group along with
MACE-Dir for feedback on the use of commercial and open-source IdM products.
[AI] (RL "Bob") will announce eduPersonAssurance on the TF-EMC2 list
[AI] (Bill Weems) will share a whitepaper addressing global Identity
Management.
[AI] (Tim Crouch) Craft a survey on eduCourse adoption and usage.
[AI] (Bob Morgan) will craft a survey on use of the mail attribute and
possible need for additional email attributes.

**Discussion**

- Review survey on group usage
<https://spaces.internet2.edu/display/macedir/Survey+on+Group+Usage>

Should we attempt to get a sense of what the organization is doing with
groups – e.g. scale and application?

Policy questions, e.g. naming etc., that may be hindering groups
efforts. These will likely be different people within the organization,
best suited to answering these questions, but the technical staff would
know who to direct the policy question to.

The initial focus was on the actual tools, but there was discussion
around extending this to encompass policy issues as well.

Do we need to constrain it to group usage in LDAP? Should we clarify
that to be “directories”? The intent was to exclude tools like grouper
or application level databases that serve as group repositories.

What are the real objectives of the survey? Do we have particular tools
in mind that we want to evaluate by these criteria?

Should we ask what tools are being used currently to manage groups, and
for feedback on these tools?

Consensus on the call was to continue working on the survey, and have it
ready to go by the next call with the intent to roll it out and have
responses to discuss at the Fall Internet2 Member Meeting.

[AI] (Etan) will incorporate feedback and revise the survey ASAP, and
work with SteveO to get it into SurveyMonkey.

- Discussion for practices for handling non-person or non-production
accounts in a production IdM system.

- do you have training accounts or identities in production?
- do you have test accounts or identities in production?
- do you have trouble-shooting accounts or identities in production?
- do you allow accounts or identities to be taken over to assist in
trouble-shooting?
- do you have a separate IdM system for developers to use when
developing applications?
- what practices are followed for protecting sensitive information in
non-production directories or registries?

It was observed that this often entails (or at least should entail) a
test/development infrastructure in order to separate it from the
production system, but sometimes this is just not possible…

Provisioning these test accounts often requires duplicating supporting
infrastructure, and can thus turn into a substantial effort.

One university provisions their test environment with production data,
but still found that some set of test IDs for production systems are
often needed.

This is essentially more a systems of authority problem, rather than an
IdM problem… Privilege management systems would introduce another level
of complexity to a test environment.

Tying test accounts to an actual identity (i.e. second account assigned
to a responsible party) is a good approach to making the test accounts
as “real” as possible and thus as useful as possible.

“Controlled impersonation” within the SSO system is another approach
proposed.

It was proposed to take these questions and work them into a survey., as
this would be useful information to gather from both small and large
schools.

IT was observed that application developers will sometimes create a
backdoor in systems to get around the lack of a test environment, and if
done improperly these often lead to risk of compromise later on.

[AI] (Joy) will work on creating a test account survey in the wiki.

- The Shibboleth team is looking at user consent-based attribute release
models (v. admin-based), and this is spurring discussion around data
elements required to support this. MACE-Dir would be the appropriate
venue in which to flesh this out.

[AI] (Scott) will draft a brief description of the use case and send it
to the list.