MACE-paccman Call 28-April-2011

Attending

Keith Hazelton, U. Wisconsin (co-chair)
Tom Dopirak , CMU (co-chair)
Billy Cook, Clemson
Rob Carter, Duke
Mark Scheible, NC State
Benn Oshrin, Internet2
Chris Phillips, CANARIE
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

===========

New Action Items

[AI] (Rob) will add his "access to student info" use case to the MACE-paccman use case library (or be sure that there is a similar use case already there)
https://spaces.internet2.edu/display/macepaccman/Use+Cases

[AI] (ChrisP) will add the concept of rule evaluation to the MACE-paccman recipe
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

[AI] (SteveO and TomD) will track the cloud computing initiative within Internet2 and keep the MACE-paccman list informed.

[AI] (Keith) will check with RL "Bob" about issues around the cloud IdM docs and about discussions at IIW of SCIM (Simple Cloud IdM) work
https://sites.google.com/site/clouddir/home

===========

Carry Over Action Items

[AI] (Keith) will investigate and report back to the paccman list on licensing policy terms for the Axiomatics Policy Server

[AI] (Keith and Charlotte) will preview the Axiomatics Policy Server.

The following action items apply to the Priv. and Access Management Recipes on the wiki:
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

[AI] (Keith) will work on this section on privileges:

• Are the definitions in the glossary good enough or are their others that are more widely accepted?
• MACE documents ( Grouper) vs other standards groups

[AI] (Keith) will work on this section on policy:
• policy, a generic model
• P*P architectures: proposed models,
• Application policy, enterprise policy, VO policy
• case studies - bamboo
[AI] (TomD) will work on this section on namespace issues:
• What is the namespace ( URIs vs URNs) and object characteristics for privileges?
• What are the special problems in namespace choice? (DONE)

[AI] (ChrisH) will work on the section on choosing the approach (groups and roles versus privileges)
• Using groups and roles vs privileges, how to choose, simple access management, centralized vs distributed. Note: you can mix and match between these strategies in one application

[AI] (ChrisH) will work on the section on group, role and role hierarchies
• group, role and role hierarchies, draft proposal for MACE-wide model and definition
Agenda Items for next call:

-TomD will report on his discussion with Heather about joining the MACE-paccman and COmanage glossaries.
--- https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary
--- https://spaces.internet2.edu/display/COmanage/Glossary

- ChrisH will lead a discussion about inheritance as it related to allow/deny

===========

DISCUSSION

Axiomatics Policy Server

Keith heard from Charlotte at PSU that they have installed the Axiomatics policy server and will start testing it soon.

ChrisP asked about the history of this exploration of the Axiomatics policy server. Keith stated:
• Axiomatics was determined to be worth investigating as an educational tool.
• It has a GUI policy server where one can set up the P*P elements in the policy server and can simulate a run
• Interesting to see the GUI version and then to drill down and review the XACML created

Cloud Directory and Simple Cloud Identity Management (SCIM)

ChrisP mentioned that a Simple Cloud IdM (SCIM) initiative has been mentioned on various lists during the past two weeks.

It seems to be about synchronizing identity data, though there could potentially be a lack of attention to privacy elements and authorization style elements.
This effort might be discussed at the Internet Identity Workshop (IIW) coming up May 3-5 in Mountain View, CA.

[AI] (Keith) will check with RL "Bob" about issues around the cloud IdM docs and about discussions at IIW of SCIM (Simple Cloud IdM) work
https://sites.google.com/site/clouddir/home

===========

Cloud Initiative at Internet2

• TomD mentioned that there is an Internet2 cloud effort going on a CIO level, looking into purchasing cloud services as a consortium.
• This CIO-led cloud effort was discussed at an ITANA call in April 2010. https://spaces.internet2.edu/display/itana/Conference+Call+Minutes%2C+2010-04-29
• Keith noted that there might be a role for MACE-paccman to look at integrating IAM into cloud computing
• ChrisP commented that possibly cloud computing does not represent a special/unique case for IAM, perhaps it is a classic case.
• Operating in the cloud could force organizations to be clearer about their interfaces with regard to access management
• TomD discussed some concerns with commercial applications running in the cloud environment. Generally roles must be set within the application. There can be hundreds of distinct privileges you must combine together to create roles. See TomD's SMM slides: http://www.internet2.edu/presentations/spring11/20110419-dopirak-authz2.pdf

[AI] (SteveO and TomD) will track the cloud computing initiative within Internet2 and keep the MACE-paccman list informed.

===========

Access Management Recipe Work

https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

• The Recipe work was discussed at the MACE-paccman Working Group at 2011 SMM: http://middleware.internet2.edu/paccman/minutes/MACE-paccman-18-April-2011.html
• Keith noted in the recipe, a top level bullet on "Delegation" has been added

===========

Conditions/Scoping in Access Management

• TomD raised the question of handling privileges that should extend beyond a namespace.
• For example, would the ability to look at SSN be a privilege that resides in an application's namespace domain? Or would it expand beyond one namespace?
•
• Rob raised the similar question of FERPA protected info.
• What if Sue is authorized to view FERPA protected info and we want to grant Sue that authority across applications?
• It is challenging to do this.
• Can add Sue to a group and try to arrange so the UIs used for various applications do callouts to check for membership with that group
• But there's no policy mandating checking that group for determining access to FERPA-resticted info.
• Just a handshake that everyone will check for the group
•
• Could there be a generic all-application intermediate namespace?
• The need could arise more and more because of highly integrated applications.

• Rob mentioned that multiple LMS systems are being used on his campus
• This is forcing thinking about roles in a way that is not application specific

• Another important issue is the complex constraints on permissions
• e.g., a help desk person can have access to student accounts while students are in a particular summer program only.
• Some products do an authorization check and return "TRUE" depending on you evaluating this expression
• It's a tradeoff between a real time and a static evaluation

• Some scoping/conditions are determined by the campus, some are environmental and real-time in nature, some are best left to the application itself
• ChrisP recalled that the Signet project devoted much attention to scoping issues.
• SPOCP has a method for handling boundary conditions: http://www.spocp.org/docs/spocpdoc/bcond.html#The+General+Boundary+Condition+Format
• Rob will ensure that scoping issues are accurately represented in the paccman use case library

Rule evaluation to handle scoping should be represented in the MACE-paccman recipe work.

[AI] (ChrisP) will add the concept of rule evaluation to the MACE-paccman recipe
https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

Next Call: Thursday, 12-May-2011 at 1 pm ET

******************
Reminder: Advance CAMP starts 25-May-2011:
https://spaces.internet2.edu/display/ACAMPIdSummit2011/Home