**MACE/MACE-paccman Call 14-March-2011**
**Attending**
RL "Bob" Morgan, U. Washington (MACE chair)
Keith Hazelton, U. Wisc. - Madison (MACE-paccman Co-Chair)
Tom Dopirak, CMU (MACE-paccman Co-Chair)
Renee Shuey, Penn State U.
Tom Barton, U. Chicago
Steven Carmody, Brown U.
Ann West, Internet2
David Wasley, independent
Rob Carter, Duke U.
Von Welch, Indiana U.
Chris Hyzer, U. Penn.
Benn Oshrin, Internet2
Mike Gossett, Clemson
Billy Cook, Clemson
Scott Cantor, OSU
Tom Zeller, U. Memphis
Mark Scheible, NC State U.
Emily Eisbruch, Internet
Steve Olshansky, Internet2 (scribe)
NEXT CALL: 28-March-2011
Joint MACE-paccman and MACE call to discuss a paccman Work Plan for the upcoming year.
RL "Bob" noted that MACE-paccman is chartered by MACE, and the co-chairs have requested a checkpoint with MACE about its work plan and charter going forward, in light of events and developments since the original charter was approved.
Some of the potential work areas suggested include:
- various issues around permissions, e.g. an ontology or definitions related to the uses of the various terms, and the semantic models for some of the ways in which they are used in relation to authz decisions and provisioning
- as Grouper has good delegation tools, the principles and practices of delegation could use some illumination
- authz in context, based upon a logical diagram TomZ developed as a starting point, including defining components and where they ought to reside (e.g. PDP, PEP, other P*P)
- the role of XACML tools and policy engines, potentially including purchasing an Axiomatics license for experimentation
http://www.axiomatics.com/
- identifying and promoting good practices in access management, presuming appropriate scope can be defined
- provisioning, perhaps including lessons learned and exploration of SPML
How could or should the WG work feed code development and deployment? It was also noted that some campuses have developed and deployed their own home-grown tools in this space.
Q: What relevant use cases are emerging in the Shib and Grouper work, that are not easily solved.
A: For Grouper, they are not really new use cases so much as functionality and enhancement requests for the existing tools. There have been some product-specific integrations -- e.g. uPortal, Kuali, Atlassian -- and these might be instructive for other contexts as well.
A: For Shib, these issues are not really emerging on the calls, although occasionally they do surface on this list -- albeit relatively down in the weeds in the context of specific SP situations.
In VOs delegation is often required, and there are questions about how best to do this with various tools in use. Roles/entitlements/privileges need to be manifested in various apps in some coherent way, and this applies in non-VO contexts as well.
eduPersonEntitlements and groups could be used to fashion a viable solution, which in turn could be used by a XACML engine as a policy or rule.
It was observed that authz and access management are being tackled in the community as well as in other MACE working groups in one form or another. Thus the question arises, what ought to be the role and contribution of MACE-paccman? Or perhaps should it work more closely with Grouper and Shib? Many other campuses are trying to surface above case-by-case solutions, and a architectural framework would be an attractive option. There are not many case studies yet available however, and this is an obstacle...
E.g. The Drupal/Shib plugin is being used at several sites, but its suitability for the real needs out in the world is not yet clear. A logical PDP can be challenging in this context, much less across the enterprise. Managing permissions in interactions with outside vendors can prove very challenging.
Application/infrastructure integration guidance would be an obvious area of interest, and case studies would be very useful in support of this.
The ways in which applications gain access to an authz infrastructure is an interesting question, and how can this information be conveyed to the app... Push v. pull? How to utilize different underlying technologies?
It was suggested that a "recipe" book might be a useful output, akin to the LDAP Recipe.
http://middleware.internet2.edu/dir/docs/ldap-recipe.htm
Is the space "big" enough for a recipe book format? As a reference for the community this might be very well received.
It was observed that there are several commercial systems that claim to address authz and permissions, which may be useful to examine for reference as to good and usable practices.
Next Steps:
Consensus on the call was that developing and promulgating best practices would be very positive. Looking at functional requirements stemming from the perspectives of users and SPs would also be very positive. Injecting a risk-management perspective was also suggested...
MACE-paccman will further discuss the items surfaced on the call today, toward refining the charter, and bring it back to MACE for review.