MACE-paccman Working Group Face-to-Face Session
Internet2 Fall Member Meeting, Atlanta
Monday, 1-Nov-2010
http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001465&event=1159
Overview of MACE-paccman Working Group Activities - Rob Carter
http://www.internet2.edu/presentations/fall10/20101101-MACEpaccmanupdate-carter.pdf
The early focus of MACE-paccman was on defining the problem space. A glossary and taxonomy of access management terms were developed
https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary
In the taxonomy, the attempt was to document how people are using a term, rather than to tell people what the term should mean
https://spaces.internet2.edu/display/macepaccman/MACE-paccman+comparative+taxonomy
More recently, the focus has been on use cases, solution options, APIs and patterns
https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation
One benefit of categorizing use cases is that this provides common references/models for MACE-paccman conversations
Ongoing efforts:
XACML expression of selected use cases
Federated Access Management topics
caBIG use cases
Federated Grouper
Provisioning: SPML, Oracle
Policy Management: SpocP, Oracle
Tracking other projects, such as Grouper, COmanage, Kuali, Kantara, etc.
Provisioning - Tom Zeller
http://www.internet2.edu/presentations/fall10/20101101-SPML-zeller.pdf
SPML can help solve the problems MACE-paccman is trying to handle.
One approach: express solutions to access management use cases in XACML, then it will be possible to wrap the XACML in SPML for provisioning. (A possible issue is limited support for XACML.)
OASIS standards body has stated support for SPML, version 2.1
http://www.oasis-open.org/specs/
Two possible profiles for provisioning: DSMLv2 & XSD
SPML's stated goal is that it should prevent users from being locked into vendor solutions. This could be a possible roadblock to vendor adoption.
TomZ reviewed the SAML SPML mashup flowchart of how to pass groups, members, subjects, permissions, attributes, roles to SAML or SPML for provisioning.
Sometimes when SPML adoption for provisioning is discussed, it is suggested that it makes more sense to leverage SAML, which is already broadly used. The issue is that currently SAML handles provisioning issues at a high level. For provisioing to work, the SAML standards body will need to work on notify capability. SLAs between IDPs and SPs will be required. The vision is that SPML is a profile that can work with SAML to enable provisioning without changes to SAML.
Q : HR systems have service interfaces that do some degree of provisioning with some local role. Most have roles embedded in them. How would SPML would fit into that environment?
A: TomZ: Since vendor support is weak, we'd express the info we care about in SPML, and write code to translate that to whatever the specific application supports. But if extensions are made to SAML, then in the future maybe it will be possible to use SAML SSO Systems to express those roles.
Nate Klingenstein: Some implementation work is being done in the vendor community regarding "change notify."
Tom Barton noted that the target of the provisioning could be a vendor provided application, but could also be an LDAP directory.
Tom Dopirak stated that he is responsible for access management use cases involving levels of entitilements in the vendor space. There is a lot of vendor specificity. But there is also a need to develop generalized models. If TIAA were federated, what might the model be?
SPOCP - Roland Hedberg
http://www.internet2.edu/presentations/fall10/20101101-spocp-rules-hedberg.pdf
Roland first spoke about SpocP at an Internet2 Member Meeting in 2003 or 2004.
SPOCP involves writing S-expressions.
Ideally it would be good to provide a UI, with drop down lists, where the user can specify the context of the rule and then make choices. (see slide #3)
As a reference point, Roland used SPOCP to solve the MACE-paccman use case on "Course Deadine Extended"
https://spaces.internet2.edu/display/macepaccman/Spocp+and+selected+use+cases
Three parts to SPOCP rules:
Rule
Boundary condition
A string that gets returned
It is clear that boundary conditions are very powerful. Classes and relationships between elements are important. An ontology will be helpful.
It helps to ask:
What are we trying to protect?
What do we expect people to do with these resources?
Who is trying to do this? Where is subject doing it? What period of time? (might not matter)
Keith Hazelton has committed to exploring SpocP further. Keith hopes to create a blog-like account of the process, and possibly developing a tutorial. No SpocP tutorials currently exist.
Q: Why adopt SPOCP when there is XACML?
A: Roland: There are two reasons:
1. performance - worked to get the server to be fast
2. mathematical proof that the rule engines always give correct answers
The Grouper team is looking at handling rules in Grouper with a rules package. Chris Hyzer will go over that later in the Grouper WG. This focuses on handling events that occur in Grouper .... triggers on Grouper actions.
Q: Who has experience in extracting authorizion questions from application?
A: Clemson has experience with that -- using XACML -- and will present at a track session on Tuesday, Nov. 2, titled "The Central.Clemson Story: a Rules-based Approach to Managing Course Sections and Provisioning"
http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001397&event=1159
CMU is planning to build student systems pulling most of the authorization issues outside of the system. Possibly the solution will be to use a JAVA API to pull all the questions into one place.
LOGO for the MACE-paccman Working Group
MACE-paccman working group is open to suggestions for a logo. Logo suggestions, contributions are encouraged.
Next MACE-paccman Call: Thursday, Nov. 18 at 1 pm ET