MACE-paccman call 27-Feb-09

**Attending**

Tom Dopirak, CMU (chair)
Tom Barton, U. Chicago
Rob Carter, Duke
Klara Jelinkova, Duke
Chris Hyzer, Penn
Steven Carmody, Brown
Nancy Munn, Rutgers
Ben Oshrin, Rutgers
Scott Battaglia, Rutgers
Michael Gettes, MIT
Paul Hill, MIT
Jim Repa, MIT
Warren Leung, UCLA
Renee Frost, Internet2
Steve Olshansky, Internet2

Action Items

**New Action Items**

[AI] (StevenC) will confirm that the XACML diagram is the same one that Albert posted in the wiki.

[AI] (Michael) will send out a list of relevant terminology, including what was used for Signet.

[AI] (Tom and SteveO) will post the CMU terminology in the wiki, and then compare with Michael's list.

[AI] (TomD) will talk to RLBob about getting a representative from the Windows constituency.

**Carryover Action Items**

[AI] (Bob) will talk about MACE-paccman with his Kuali contact.

[AI] (Klara and Rob) will develop and make available a summary of the privilege management survey (part 2) results. (SteveO) will work with them to enable working group access to the survey data.

Why are you on this Call?

MichaelG (on behalf of the MIT participants): MIT has an authority/authorization system that has been in use for 11 years. They are translating it to open source technologies to make it community available. There is interest in understanding the community view and how the MIT system can be useful in that space.

Rob: My interest originally peaked when I got engaged with a Privilege Management Survey last year. Interested in seeing where we can go w privilege and access management.

Ben (on behalf of the Rutgers participants): The Rutgers group is developing an Identity Registry Initiative called Open Registry. It takes data from the system of record, munges it, and pushes it out to LDAP or elsewhere. The goal is to use open source standards. There is interest in access management and how data will be consumed downstream.

Chris: Penn needs centralized privilege management. They currently have a non centralized system.

TomD: As a senior consulting architect at CMU, I am working on a multi-year IdM program. Trying to get engineering and policy folks involved. Driving this effort are the enterprise applications, such as payroll.

StevenC: Same reasons as others, with particular interest in two areas: 1) In the instructional space, Brown has about 20 different systems to support instructors. Sometimes instructors want to delegate management of those services to teaching assistants or others, and it’s important to track what permissions have been granted. 2) Departments have many small business systems (parking, residential life), that are managing permissions. It makes sense to leverage MACE-Grouper in some fashion.

TomB: At U. of Chicago there are many access management needs. Due to the economic downturn, there has been some drop in funds from patient care, and increased sensitivity to who can access what. Wearing other hats, there is interest from the MACE program and also as manager of the Grouper project. Want to explore things we can put on the Grouper platform to help solve some of the issues discussed in this forum.

TomD mentioned the hope to eventually develop access management case studies.

List of Phases of Access Management

Bob sent to the list information on phases of access management.

TomB: We need to think about policy and rules. Rules were never implemented in Signet. XACML and Ponder both placed focus on policy.

The Spocp work could be an interesting way of thinking about how a priv. mgmt system should function.
http://www8.umu.se/it/projupp/spocp/

Terminology

Michael reiterated his concern about clarifying terminology.

[AI] (Michael) will send out a list of relevant terminology, including what was used for Signet.

TomD had posted CMU Identity Glossary (in PDF format) to the wiki.
https://spaces.internet2.edu/display/macepaccman/Home

[AI] (Tom and SteveO) will post the CMU terminology in the wiki, and then compare with Michael's list.

The group agreed it's OK to adjust definitions as we move forward.

Privilege Management Survey

Clara and Rob reported that they are still working on summarizing the privilege management survey last phase and merging the results. They are working towards having one final document that covers all three phases of the survey. Rob hopes to have something posted between now and next call.

Auditors and Access Management Info Requirements

TomD has set a meeting to talk about access management with CMU auditors.

Klara said she talked to the auditors at Duke. They would be willing to join the call and have us ask questions.

TomD: Are auditors a really important client for our work?

Steven: Auditors can’t be forgotten as constituents, but don’t give them particular authority.

TomB: The Stanford group said auditors needs were an influential driver in their system.

Representatives from Other Constituencies

We have a lot of central IT point of view, and architecture. Application folks think about the issues differently.
What about Microsoft users?
Klara noted that U. Washington has brought Microsoft constituencies into the central IdM portfolio.
[AI] (TomD) will talk to RLBob about getting a representative from the Windows constituency.

TomB: An application to keep in mind is AzMan (Microsoft’s Authorization manager).

Ben has a strong connection to the JA-SIG community. May be able to talk with people at the conference next week.

Grouper News

TomB reported that in Grouper v 1.5 there will be a redesigned attribute infrastructure.
It will be possible to assign attributes to groups, memberships, and naming stems, not just to groups. This may have utility for access management.

Next Call: Friday, 13-Mar-09 at 11am ET