MACE-paccman call 26-Aug-2010

MACE-paccman call 26-Aug-2010

*Attending*

Tom Dopirak, CMU (co-chair)
Keith Hazelton, U. Wisconsin (co-chair)
Paul Hill, MIT
Tom Barton, U. Chicago
Tom Zeller, U. Memphis,
Chris Hyzer, U. Penn
Dan Seibert, UCSD
Benn Oshrin, Internet2
Ann West, Internet
Renee Frost, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

New Action Items

[AI] (Keith) will create a business process model for selected MACE-paccman use cases.

[AI] (Keith) will send the Oracle documentation URL to the MACE-paccman list. (Done)

[AI] (TomD) will contact appropriate individuals regarding perMIT source code.

[AI] (TomD) will rewrite his suggestion concerning categorization of use cases based on audit issues versus compliance requirements.

Carry Over Action Items

[AI] (TomB) will introduce Rob and Rachana regarding sharing of caBIG use cases with MACE-paccman.

[AI] (Everyone) will give Rob feedback on his start on the “Use Case Tabulation” on the wiki:
https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation

[AI] (Rob) will finish attaching numbers/identifiers to MACE-paccman use cases in preparation for promoting them (or pointers to them) from the wiki to the website.

[AI ] (Keith, Rob, Paul, and Albert) will move forward on mapping access management use cases to XACML.

DISCUSSION

*Use Cases*

https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation.

TomD suggests it would be valuable to differentiate between cases that emerge from audit requirements versus cases that emerge from compliance requirements.
[AI] (TomD) will rewrite his suggestion concerning categorization of use cases based on audit issues versus compliance requirements.

*XACML Representation of paccman Use Cases*

Keith mentioned the HERAS (Holistic Enterprise-Ready Application Security) open source XACML 2 engine from Germany:

http://www.herasaf.org/

Keith has not yet installed and tested it, but it looks like a useful tool.

*Workflow, BPM, and Access Management*

Keith raised questions about the boundary between business process models and rules / policy. Some of the policy rules are buried branches in a workflow process. But some issues like “is this purchase over 5K?” could be sent to a policy engine for evaluation.

Keith noted that the term "Business Process Management" is replacing the term "workflow" in some cases. There is some grey area between things to handle literally in BPEL or BPM and things to express in a policy language.

It was recalled that on the 4-Feb-2010 MACE-paccman call, TomB stated his opinion that with a good permission or privilege management system, even workflow become actions within the privilege mgmt system, however, people still want a workflow solution.

Chris stated that there are two distinct kinds of workflow:
#1. access management where humans approve things and #2. business process orchestration where everything is automated.
Both are workflow, but #2 won’t replace #1

It was noted that Oracle claims they can handle a mix of automated and human workflow steps (including supervisor sign-off) in their workflow system.

TomD said that workflow can be seen as an inherent part of access management, but there may be post access management steps in the workflow.

Chris stated that it is helpful when an access management system has the option to assign privileges or groups based on workflow. At many Internet2 member meetings, people ask if Grouper has workflow. It is not a requirement for access management systems but it IS a useful feature

Keith raised these questions:

1. Should we change our terminology from workflow to Business Process Management ?

2. Instead of merely access control, maybe we are talking about policy and rules that could come into play in other areas in addition to access control?

TomD: Are we going back to classic XACML terminology where we talk about the function pieces / components (administration points, access points etc.)?

Keith volunteered to work on sketching a business process version notation of the paccman use cases, to split out the BPM part and the policy part and try to model it is more technical components. Keith will apply the BPN stuff to a couple of these cases and see if policy factors out.

[AI] (Keith) will create a business process model for selected MACE-paccman use cases.

*Oracle Issues*

Keith provided these references to Oracle information:

(OES): http://www.oracle.com/technetwork/middleware/oes/overview/index.html
- Note: This is still 10g and the documentation page is blank

Oracle Fusion Middleware generally: http://www.oracle.com/us/products/middleware/index.html

Oracle Identity Management 11g: http://www.oracle.com/us/products/middleware/identity-management/identity-management-11g-151984.html
- also: http://event.on24.com/event/15/02/99/rt/products-identity-management.html?eventid=150299&sessionid=1&partnerref=idm17&key=409AAB2E4D0C341FD02DC012B04173EB&param2=products-identity-management.html&eventuserid=26341653

TomD noted that recent discussions with Oracle have indicated that licensing is based on policy points. This could provide an incentive to centralize rather than delegate policy definition.

*Updates from Other Projects*

The Grouper team is working on:
- integration with uPortal
- a rules engine for Grouper
- SPML messaging from Grouper (TomZ is communicating with UNC on SPML issues)

MIT permit –
[AI] (TomD) will contact appropriate individuals regarding perMIT source code.

Kantara –
SAML 2 conformance testing is planned for Sept 20 – Nov 5
An open source offering will be part of the conformance testing. Scott Cantor has been influential in that.

Next call: Thursday, Sept. 2 at 1 pm ET