Minutes: MACE-paccman call of 27-Oct-2011
=====
Attending
Tom Dopirak , CMU (co-chair)
Keith Hazelton, U. Wisconsin (co-chair)
R.L. Bob Morgan, University of Washington
Bill Thompson, Unicon
Rob Carter, Duke
Mark Scheible, MCNC
Chris Hyzer, U. Penn
Steve Olshansky, Internet2
=====
**New Action Items**
[AI] (Keith and Rob) will investigate the access management and provisioning work under way in OSIdM4HE and report back
[AI] (Rob) will look into cross - linking of the wiki content between the paccman and OSIdM4HE subgroups
[AI] (TomD) will contact Michael Pelikan re: use cases
[AI] (RL "Bob") will share links to public docs on GoogleApps provisioning
[AI] (TomD) will enhance the outline for the recipe in the wiki
=====
**Carry Over Action Items**
[AI] (Keith) will add to the agenda for a future paccman call:
- Gartner use case classification review
- SCIM work (update from ChrisP and TomZ)
[AI] (Keith) will test the definitions from the recipe work on "Access Control Policy Management" against the paccman use cases and report back to the group.
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft
[AI] (Keith) will investigate and report back to the paccman list on licensing policy terms for the Axiomatics Policy Server
[AI] (Keith and Charlotte) will preview the Axiomatics Policy Server.
=====
DISCUSSION
**Alignment Between MACE-paccman and the OSIdM4HE Effort**
https://spaces.internet2.edu/display/OSIdM4HE/OSIdM4HE+Initiative
The OSIdM4HE Initiative has subgroups looking at provisioning and at access management.
- Info is found on these wikis:
https://spaces.internet2.edu/display/OSIdM4HEteam/Provisioning+Team
https://spaces.internet2.edu/display/OSIdM4HEteam/Access+Management+Team
- It would be beneficial to promote alignment between these OSIdM4HE teams and the work of the MACE-paccman WG.
- Should the two be merged?
- What is are the distinctions between the work of MACE-paccman versus the work of the OSIdM4HE Initiative provisioning and access management subgroups?
- ChrisH: the paccman group's recipe will show examples and use cases, and the OSIdM4HE group is eventually looking at developing a tool to fill gaps in the open source suite
- provisioning is more of an emerging market than the access control part
- Keith: possibly the OSIdM4HE provisioning team needs some conceptual foundations, that the paccman group could provide?
- What % of the paccman recipe focuses on provisioning?
- About one quarter, and the rest has a focus on access management
- Q: is Grouper expanding more into looking at provisioning?
- A: the LDAPPC-NG work, being done by TomZ, has a provisioning focus.
RL Bob commented:
- We are all touching on different parts of the same element
- OSIdM4HE trying to figure out what needs to be done to create a complete open source solution
[AI] (Keith and Rob) will investigate the access management and provisioning work under way in OSIdM4HE and report back
[AI] (Rob) will look into cross - linking of the wiki content between the paccman and OSIdM4HE subgroups
=====
**Access Management Recipe**
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft
- TomD noted that some of the info from the IAM Online titled "Get Schooled on the new Grouper 2.0" could be useful to add to the recipe.
http://www.incommon.org/docs/iamonline/20110713_IAM_Online.pdf
- Keith said the SCIM work is becoming more relevant and perhaps should be included in the recipe to some extent.
http://code.google.com/p/scim/
- TomD: the topic of how to get attributes is highly relevant
- Can get attributes from
- a directory
- a SAML assertion
- an attribute authority, such as from a VO-maintained attribute repository.
- The Shib SP allows pulling in extra attributes (in addition to the SAML assertions from the IdP) using a mapped identifier.
- TomD: It's important to also look at what application-level frameworks exist for managing access; at CMU we think in terms of standard java
- Dependencies within the application can be based on group memberships or affiliations
- ChrisH: Grouper has a client for handling attributes; it is a library that can be used, not exactly one standard.
- There is the distinction between fine-grained versus gross-grained security
- Access decisions are made based on info that is supplied by the IdP or the other attribute authorities to the policy decision point
- Sometimes run-time info is needed (such as limit info) and an IdP would not have that
- What about Java Authentication and Authorization Service (JAAS)?
- Chris: the JAAS interface is not conducive to off-loading security to an external source.
- JAAS is not conducive to centralized authorization.
=====
**Outline for the Recipe Moving Forward**
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft
TomD noted that, based on discussions, these items should most likely be added to the recipe outline:
- a forward or introduction
- a section on where to start
- some info from the OSIdM4HE Initiative?
- provisioning info
- better integration of the info from Chris Phillips?
- section on how to obtain attributes
- section showing examples using Grouper to handle access management
[AI] (TomD) will enhance the outline for the recipe in the wiki
=====
**Use Case Library**
https://spaces.internet2.edu/display/macepaccman/Use+Cases
Thank you to Heather who added the LIGO Document Management use case to the wiki at
https://spaces.internet2.edu/display/macepaccman/LIGO+Document+Management
TomD will check with MichaelP regarding his AI of adding PSU use cases to the wiki
[AI] (TomD) will contact Michael Pelikan re: use cases
It was suggested to add a use case on integration with Google Apps
[AI] (RL "Bob") will share links to public docs on GoogleApps provisioning
It was noted that the NC State use case involves integration with PeopleSoft:
https://spaces.internet2.edu/display/macepaccman/NCSU+Use+Cases
Q: It be useful to have a use case around integration with Workday. Many campuses are using Workday.
A: Yes, we invite anyone who has a use case to please add this to the paccman use case library.
[AI] Keith will add a placeholder.
Q: Is anyone trying to provisioning Peoplesoft or EBS out of Grouper?
A: U-Wisc.Madison may be doing this in the next year or so.
=====
Next MACE-paccman call: Thursday, 10-Nov-2011, 1pm ET