MACE-paccman Call 28-Oct-2010

MACE-paccman Call 28-Oct-2010

*Attending*

Tom Dopirak, CMU, (co-chair)
Keith Hazelton, U. Wisconsin (co-chair)
Tom Barton, U. Chicago
Roland Hedburg, Umea University
Chris Hyzer, U. Penn
Scott Cantor, The Ohio State University
Benn Oshrin, Internet2
Rob Carter, Duke
Renee Frost, Internet2
Ann West, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

*New Action Items*

[AI] (Rob) will email the paccman list about a meeting at FMM to start mapping paccman use cases using XACML. (DONE)

[AI] (Roland) will develop a write up on rules ontology and mapping to a UI.

[AI] (TomD) will contact TomZ about presenting at the FMM paccman-WG on how SPML support will be integrated into Grouper in the future (DONE)

[AI] (TomD) will work on the IP issue regarding use case classifications to potentially add to the paccman use case tabulation.

[AI] (Keith) will investigate methods for bringing in a remote presenter for the FMM paccman WG session. (DONE)

[AI] (Emily) will put the proposed MACE-paccman WG agenda on the paccman wiki (DONE)
https://spaces.internet2.edu/display/macepaccman/Proposed+Agenda+for+WG+session+at+2010+FMM

*Carry Over Items*

[AI] (Everyone) give TomD feedback on the swim lane diagram representing the B2 (Old and New Payroll Clerk) use case:
https://spaces.internet2.edu/plugins/servlet/gliffyapi/clientdiagramjpeg?cb=824536980&pk=pub&name=use+case+2&ceoid=3443891&key=macepaccman&size=L&version=2-%20Tables

[AI] (TomD) will email Charlotte at Penn State to discuss her interest in XACML

[AI] (Rob) will continue to work towards adding caBIG use cases to the MACE-paccman wiki.

[AI] (TomD and Keith) will continue to work on swimlane diagrams for use cases

[AI] (Keith) will create a business process model for selected MACE-paccman use cases.

[AI] (Keith) will contact the prof behind HERAS, about whether he may have grad students interested in pursuing some of our use cases

*DISCUSSION*

Roland on SpocP

Roland solved two of the use cases in the MACE-paccman use case library using SpocP:

Course Deadline Extended Use Case (A8) – SpocP solution
https://spaces.internet2.edu/display/macepaccman/Spocp+and+selected+use+cases

In this use case,
Resource = LMS
Action= read
Subject= student

The rule is valid for one week, and this time limit is written into the rule as the “range”. A boundary condition could also optionally be used to handle the date range issue.

If a boundary condition is used (which is not in the A8 use case SpocP solution), then the rule is checked first. If the query passes (is less than or equal to) the rule, then the boundary condition is checked. The boundary condition can be a backend query to access dynamic information, such as time or data in an LDAP directory.

Roland noted that the power of boundary conditions can help to reduce the number of SpocP rules that are needed.

Also, SpocP allows binding of information to a SpocP rule. So information (password or certificate # etc.) can be returned.

There is a mathematical proof that SpocP answers correctly.

Old and New Payroll Clerks Use Case (B2) – SpocP solution (not discussed on the call)
https://spaces.internet2.edu/display/macepaccman/Spocp+and+selected+use+cases#Spocpandselectedusecases-payrollclerks

Q: TomB: How do an institution’s rules get added to SPOCP’s set of rules? What is the interface?

A: Ideally, you provide a web page interface for picking and choose the rules. Using the semantic web, it’s possible to build an ontology of rules for a specific application.

[AI] (Roland) will develop a write up on rules ontology and mapping to a UI.

TomB said there are tools that can take an ontology and create a UI.

Keith noted similarity between evaluation of rules in SpocP and SPKI.

Keith remarked that the SpocP draft documentation on Restricted S expressions is helpful in learning SpocP
http://www.spocp.org/drafts/draft-hedberg-spocp-sexp-00.html

Response time of SpocP depends on the depth of tree. The number of rules does not affect the response time. Boundary conditions can take more time.

In SpocP, the order of resource, action and subject is not rigid.

A tool called SpocP-test is used to test rules.

Roland will present more on SpocP at the FMM Face-to-Face MACE-paccman WG session on Nov. 1.
http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001465&event=1159

Cases of SpocP in Use:

- SpocP is used in the Swedish nationwide student registration system for administrative access to that system. There are 500-600 rules needed for that use.

- Stockholm University uses SpocP for dynamic groups, including using boundary conditions. Boundary conditions are used to determine whether a subject should belong to a group, based on a query to LDAP.

MACE-paccman WG Session at 2010 FMM in Atlanta

Keith will work on bringing in Roland for a remote presentation on SpocP.
[AI] (Keith) will investigate methods for bringing in a remote presenter for the FMM paccman WG session. (DONE)

TomD will again encourage TomZ to present on provisioning.
[AI] (TomD) will contact TomZ about presenting at the FMM paccman-WG on how SPML support will be integrated into Grouper in the future (DONE)

Agenda is found at:
https://spaces.internet2.edu/display/macepaccman/Proposed+Agenda+for+WG+session+at+2010+FMM

Use Case Classification

TomD suggested that the B. Group Access Management access management classifications could be added to the MACE-paccman use case tabulation. There are intellectual property questions that need further investigation.

[AI] (TomD) will work on the IP issue regarding use case classifications to potentially add to the paccman use case tabulation.

For a future call, discuss Keith’s talk with RL Bob Morgan about future directions for the paccman working group.

Next Call: Thurs., Nov. 18, 2010, 1 pm ET