MACE-paccman call 13-Mar-09
**Attending**
Tom Dopirak, CMU (chair)
R.L. “Bob” Morgan, U. Washington
Tom Barton, U. Chicago
Rob Carter, Duke
Chris Hyzer, Penn
Steven Carmody, Brown
Ben Oshrin, Rutgers
Michael Gettes, MIT
Paul Hill, MIT
Jim Repa, MIT
Scott Canter, The Ohio State University
Ann West, EDUCAUSE/Internet2
Steve Olshansky, Internet2
Emily Eisbruch , Internet2 (scribe)
**New Action Items**
[AI] (Paul) will coordinate efforts to define undefined terms for the Glossary.
[AI] (RL Bob) will invite Alan Walsh to join the MACE-paccman group.
[AI] (TomD) will talk with his colleagues regarding outreach to Sakai.
[AI] (Ben) will continue outreach to his uPortal contacts.
**Carryover Action Items**
[AI] (Klara and Rob) will develop and make available a summary of the privilege management survey (part 2) results. (SteveO) will work with them to enable working group access to the survey data.
Discussion
Conversations with Kuali
Bob talked with Bill Yak, who is on Kuali board, about relationships between MACE, Internet2 and Kuali Rice. There is agreement there should be some relationship. Kuali Rice is still putting its charter together.
Eric Westfall, the Kuali Rice project lead, and Bill Yak will attend the Internet2 Spring Member Meeting and there will be opportunity for more discussion. Also, Eric Westfall is on the program committee of the Identity Summit Advanced CAMP in Philadelphia this June.
http://net.educause.edu/camp093
TomB talked with Jennifer Foutty, executive director for Kuali. The Kuali team recognizes that there should be some arrangement for cross cutting types of concerns, specifically between Kuali, Internet2, and Fluid. They are thinking about how that would work.
Privilege Management Survey
Rob reported that he is not quite done with the final write-up on the Privilege Management survey. He hopes to have a report ready in two weeks.
Rob is serving on the June CAMP program committee; the plan is to feed some of the data from the privilege management survey into the CAMP program.
https://spaces.internet2.edu/display/CAMPJune2009/CAMP+Access+Management
Glossary
Michael proposed in an email that the group should accept the Signet glossary as a basis for moving forward. Chris suggested that “Subject” should be used in place of “User,” and Michael agreed.
https://wiki.internet2.edu/confluence/display/SignetWG/Signet+Concepts%2C+Glossary%2C+Features
A few key terms are not defined in the Signet glossary.
[AI] (Paul) will coordinate efforts to define undefined terms for the glossary.
Representation from the Microsoft World
TomD: The Microsoft world uses different terminology and sees things in different ways. A lot of us currently on the call have an open source orientation. It would be beneficial to have a Microsoft/Windows perspective.
Bob noted that AzMan (Microsoft’s Authorization manager) has not been widely adopted and there isn’t a consistent approach to authorization in the Windows world.
[AI] (RL Bob) will invite Alan Walsh to join the MACE-paccman group.
Portal
Ben spoke with Eric Dalquist from uPortal. Eric Dalquist is willing to do something in terms of participation in MACE-paccman, but he was not more specific than that.
[AI] (Ben) will continue outreach to his uPortal contacts.
Uportal is interested in replacing their PAGS (Person Attributes Group Store) approach with something more standard.
Spring
Kuali Rice and Portal both build on Spring. A good approach for MACE-paccman could be to encourage appropriate access management capabilities in Spring.
Sakai
[AI] (TomD) will talk with his colleagues regarding outreach to Sakai.
Other Players in the Applications World
Should the grouop consider outreach to other big players such as Peoplesoft, JD Edwards, or Oracle Financials?
Oracle has an applications integration framework that they are moving into a future release as part of Fusion. CMU is in the very early stages of looking into that. Rob commented that Duke uses Peoplesoft and SAP, which already have privileging systems embedded in them.
Auditors
Auditors care about external policy on how people get access.
Jim Repa: Auditors often assume that there are a few groups, rather than the multi dimensional structure MIT uses.
TomD: CMU is trying to externalize the process and policies. CMU uses the notions of entitlements (policy level) and privileges (application level).
There can be many levels in access management. How much access management detail should be in central authorization system and how much should left to the application level?
Jira Issue Tracker
Chris made a video about Jira Issue Tracker handling of privileges:
https://wiki.internet2.edu/confluence/download/attachments/19013/jiraPrivileges.avi
With row level security, it’s good to have privileges within the application to optimize performance when responding to queries. If privileges are external, an import process can facilitate this. How should an application interface with an external system to deal with provisioning (daily batch feeds versus other approaches)?
Internet2 Spring Member Meeting
MACE-paccman working group meeting:
Monday, April 27 11:45am - 1:15pm
For agenda see:
http://events.internet2.edu/2009/spring-mm/agenda.cfm
Next Call: Friday, 27-Mar-09 at 11am ET