MACE-paccman call 21-July-2011

Minutes: MACE-paccman call 21-July-2011

Attending

Tom Dopirak , CMU (co-chair)
Keith Hazelton, U. Wisconsin (co-chair)
Tom Barton, U. Chicago
Benn Oshrin, Internet2
Jimmy Vuccolo, Penn State
Charlotte Willis, Penn State
Chris Hyzer, U. Penn
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

=====

New Action Items

[AI] (TomD) will write up the CMU file sharing use case for the MACE-paccman use case library.

[AI] (Keith) will test the definitions from the recipe work on "Access Control Policy Management" against the paccman use cases and report back to the group.
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

[AI] (Everyone) review and comment on the Grouper Limits UI movie from Chris Hyzer http://www.youtube.com/watch?v=06l381Myjxg

[AI] (TomD) will update the new glossary work with changes suggested on the call:
- For the Simple Glossary: remove the term "scope" and add the term "action"
- For the MACE Glossary: add the word "inheritance"
https://spaces.internet2.edu/display/macepaccman/Another+Glossary+Page

=====

Carry Over Action Items

[AI] (TomD] will integrate Gartner use case classification into MACE-paccman use cases. Note: this is in progress, feedback is requested, especially B9 and A12. See https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation. For the Gartner classifications, see https://spaces.internet2.edu/display/macepaccman/Classification+of+Authorization+Use+Cases+addressed+by+XACML

[AI] (Keith) will investigate and report back to the paccman list on licensing policy terms for the Axiomatics Policy Server

[AI] (Keith and Charlotte) will preview the Axiomatics Policy Server.

=====

DISCUSSION

Grouper Allow/Deny Limits

TomD said that he and Rob have been going through the paccman use cases with Chris Hyzer's Grouper permission limits work in mind.

Chris reported that he intends to incorporate a time zone capability to the Grouper limits, as discussed on the paccman list.

Chris summarized the video he provided at http://www.youtube.com/watch?v=06l381Myjxg

• use case is file permissions with a central permission management system
• there is a UI showing file permissions on folders
• how you can change them in Grouper and see that reflected in the UI
• made a demo source folder in the Grouper UI
• requires MySQL, you manually add the tables
• the Grouper team could put more use cases in the UI, to provide examples and sample code
• Grouper uses web services to assign and read permissions
• Grouper does NOT have web services to create the permission definition resource; right now use Grouper API or gsh
• Hopefully in Grouper 2.1, there will be web services for writing your own application to create the permission definitions

TomD has a use case on behalf of the open AFS group
They have runtime tools, but it would be good to have something at a GUI level

TomD has another use case for a CMU animation class re allocating file / disk space.
Limits could involve time in the semester.

[AI] (TomD) will write up the CMU file sharing use case for the MACE-paccman use case library.

[AI] (Everyone) review and comment on the Grouper Limits UI movie from Chris Hyzer http://www.youtube.com/watch?v=06l381Myjxg

=====

Recipe Work on Policy

https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

• Keith is working on a generic statement to cover all the access control policies we have been defining in our use cases
• where any access control policy you choose could be rephrased for that statement and you can see how things map.
• This will help us understand the boundaries.
• Keith will test this against the paccman use cases.

Started with this statement:

Subject in Role Ro can perform Action A on Resource Rs within their Scope S, given the following \{Limits/Conditions\}

Decided the concept of scope was not needed, an no need to include the synonym "conditions." Revised statement is:

Subject S in Role Ro can perform Action A on Resource Rs constrained by Limits L

TomD commented that there is much overlap with XACML here.

Q: Is there a concept of policy security to control the the attributes that the policy writer can see or use?
A: More relevant is the security around what the decision point is allowed to know.

• Chris suggested a recipe section on policy management versus priv. management or run time limits versus non run time limits.
• Policy management is optimized for "can this subject do this thing?" it is not optimized for "give me all the privileges this subject has had over the last month."
• This recipe would benefit from guiding readers on which approach to use in which types of situations.
• Run-time versus pre-computed is an optimization question that should be addressed in the recipe.

=====

Glossary Work

One of the items that emerged from the May 2011 Advance CAMP, was the idea of a small set of terms, "permissions for peasants"

TomD has been working on this at
https://spaces.internet2.edu/display/macepaccman/Another+Glossary+Page

The simple glossary started with these 7 terms:

• subject
• group
• role
• resource
• privilege /permission
• scope
• limit

TomD explained that he used "scope" instead of "inheritance" because inheritance can be ambiguous.

Chris noted inheritance refers to permissions or privileges, and it can be inheritance on roles, actions or resources.

Chris said scope can be a synonym for resource.

The group suggested these changes:

- For the Simple Glossary: remove the term "scope" and add the term "action"
- For the MACE Glossary: add the word "inheritance"
https://spaces.internet2.edu/display/macepaccman/Another+Glossary+Page

Note: Heather and TomD are working on the MACE glossary, with the aim to create a glossary that works across Internet2 Middleware projects.

=====

Next MACE-paccman call: Thursday, August 4, 1pm ET