MACE-paccman WG Call of 17-Feb-2011

Attending

Tom Dopirak, CMU (Chair)
R.L "Bob" Morgan, U. Washington
Michael Gettes, CMU
Benn Oshrin, Internet2
Tom Zeller, U. Memphis
Billy Cook, Clemson
Mike Gosset, Clemson
Emily Eisbruch (scribe)

New Action Items

[AI] (RL Bob) will schedule a joint MACE-paccman and MACE call for Monday, March 14, at 1:30 ET.

[AI] (TomD) will start a wiki page to gather use cases on software as a service issues and solutions.

https://spaces.internet2.edu/display/macepaccman/access+management+use+case+for+Software+as+a+Service+%28+SAAS%29

[AI] (Boyd) will create an access management reference diagram on the MACE-paccman wiki (showing from no authorization to embedded authorization to privileges to just-in-time authorization) .

Carry Over Action Items

[AI] (All) post on list any ideas of what should be highlighted on an updated MACE-paccman website.

[AI] (Keith) will develop a business case for funding the cost of the Axiomatics product for a period of investigation.

[AI] (Roland) will develop a write up on rules ontology and mapping to a UI. (update: Roland will bring this to Spring Member Meeting)

[AI] (Keith) will work on swimlane diagrams and a business process model for MACE-paccman use cases

[AI] (Rob) will continue to work towards adding caBIG use cases to the MACE-paccman wiki.

DISCUSSION

Report on Discussion with Grouper Working Group Chair

Keith and TomD met with Tom Barton, Chair of the Grouper Working Group, about possible ways for the paccman and Grouper Working Groups to cooperate on solving some challenges.

Keith's email summarizing this conversation:

***********************

The two Toms (Dopirak and Barton) and I had a conversation about Paccman and about Grouper's relationship to Paccman. Two ideas that emerged were:

1) Chris Hyzer has added a permissions management capability to Grouper. If Paccman WG members anticipate using this, the paccman working group could discover and document good practices and spell out some guidelines on how to develop and roll out permission management services.

2) Many of us on the Paccman call face near-term challenges around provisioning. Once again, the Grouper Project in the person of Tom Zeller continues to improve the provisioning capabilities of their software. Could the Paccman WG adopt a provisioning theme? The deliverables could include a lessons learned document, and perhaps a profile on the use of SPML to support a basic set of provisioning functions, call it SPMLite.

--Keith

**************

Comments:

Perhaps we should make MACE-paccman more for the masses and less for specialists
How many people can use externalized authorization? Is this too narrow and specialized a focus?
The reality is that most authorization is implemented inside applications
The Clemson folks noted that a central issue is "how do we ask authorization questions in a uniform way?"
Relating to Keith's point #1 above, this could represent too strong a tilt toward Grouper in the access management arena. We should keep looking at other open source tools as well.
Next Steps for paccman

Q: What should be the next steps for MACE-paccman? Should we look at developing a generic access management API?

Benn: the FIFER group is trying to put together a generic API for Group data. It would be great if paccman or some group would develop a generic API for access management.

Clemson:

Our focus is authorization decisions, i.e. "does this user have access to this resource?"
Clemson is focusing on externalized authorization data, so that there are not a lot of IF statements everywhere, but we go out to a central area with authorization information.
Solution is not necessarily XACML, it could be SAML
MichaelG articulated a distinction between authorization and permissions management and policy description.

Authorization
Authorization is the act of testing permissions, it's not about XACML and how to implement XACML
It's about "what are the needs of the applications?" and
How can we engineer our applications to do external queries?
How to reenginner the apps to ask the external authorization questions?
Permissions management
Permission management schemes allow central management of the permissions so the answers can potentially be pushed out to applications
Policy Description Language
XACML is a one policy description language that can produce permissions. These permissions could be loaded into a permission management system.
TomD:

An important factor is: " How just-in-time must authorization decisions to be? "
XACML is good for just-in-time, it has the potential to make a decision based on frequently changing data
If I can make authorization decisions based on the state when I initiate a session, the problem is simpler. It can be more of a group math question
Today, most of our use cases can be solved with a more static solution, though it would be good to review the the use cases to be sure
Clemson:

Our thinking has evolved somewhat concerning XACML
XACML will not be the end-all be-all
A lot could be accomplished w SAML or something else
Mike Gossett:

There will be multiple provisioning solutions (including SAML), but some standards are needed for interoperability
For redirection of authorization decisions, where an application asks for an authorization decision (for the policy enforcement points in applications), we need to settle on a common protocol
Then XACML, Grouper, perMIT, etc. can be on the other side
Want applicaitons to be able to ask authorization questions, and want a variety of methodologies to be acceptable as answers
Clemson looks at authorization methodologies.
Pure XACML policies are too complicated for human administrators
Need methodologies, such as
Roles
Security Levels
On UNIX has ACLs and world group users
Grouper groups

Definition of the Term "Provisioning"

MichaelG clarified that the term "provisioning" in MACE-paccman refers to "provisioning" of authorizations (not in the broader sense of provisioning identiies)

Software as a Service

Gathering use cases for SAAS access management solutions would be useful.

[AI] (TomD) will start a wiki page to gather use cases on software as a service issues and solutions.

[https://spaces.internet2.edu/display/macepaccman/access+management+use+case+for+Software+as+a+Service+%28+SAAS%29|display/macepaccman/access+management+use+case+for+Software+as+a+Service+%28+SAAS%29]

Internet2 Spring Member Meeting

Possible agenda items:

MichaalG report briefly on status of perMIT code.
ChrisH present some Grouper access management topics
Discussion of focus for paccman WG
Reference Diagram on Access Management

Would be great to have a reference diagram showing the evolution, spectrum of access management solutions.

Boyd was volunteered for this.

[AI] (Boyd) will create an access management reference diagram on the MACE-paccman wiki (showing from no authorization to embedded authorization to privileges to just-in-time authorization) .

Review of MACE-paccman Charter at upcoming MACE call

[AI] RL Bob will schedule a joint MACE-paccman and MACE call for Monday, March 14, at 1:30 ET.

Next Call: Thurs. March 3, 1:00 ET