MACE-paccman Call 3-Feb-2011

Attending

Tom Dopirak, CMU
RL "Bob" Morgan, U-Washington
Chris Hyzer, U. Penn
Rob Carter, Duke
Tom Zeller, U. Memphis
Michael Gettes, CMU
Billy Cook, Clemson
Boyd Wilson, Clemson
Michael Gossett, Clemson
Justin Cooley, Clemson
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)
New Action Items

[AI] (All) post on list any ideas of what should be highlighted on an updated MACE-paccman website.

[AI] (TomD and SteveO) will work with RL "Bob" on getting the MACE-paccman charter reviewed on an upcoming MACE call.

Carry Over Action Items

[AI] (Keith) will develop a business case for funding the cost of the Axiomatics product for a period of investigation.

[AI] (Roland) will develop a write up on rules ontology and mapping to a UI. (update: Roland will bring this to Spring Member Meeting)

[AI] (Keith) will work on swimlane diagrams and a business process model for MACE-paccman use cases

[AI] (Rob) will continue to work towards adding caBIG use cases to the MACE-paccman wiki.

DISCUSSION

Review of Action Items

There was a brief discussion about Keith's action item of looking into the Axiomatics product policy server. It was noted that it would be desirable to also investigate an open source policy server solution, to avoid the expenditure hurdle. Chris stated that Grouper always tries to support an open source solution (e.g. supports use of Oracle and also use of MYSQL or Postgres).

TomD reported that he and Keith have a meeting scheduled with Grouper-dev folks to discuss if/how MACE-paccman and Grouper working groups can collaborate more around real-time privilege evaluation and potentially plugging a policy engine into Grouper.

TomD set up a wiki page with questions related to SAML and real time attribute queries by Policy Decision Points. This was an action item assigned to Keith from the last call.

https://spaces.internet2.edu/display/macepaccman/SAML+and+real+time+attribute+queries+by+Policy+Decision+Points

TomZ reported on his action item of checking w JimF about joining a future MACE-paccman call regarding provisioning and handling authorization with Windows Live and gmail.

JimF said he could join a future MACE-paccman call to discuss this, and also RL "Bob" might be willing to talk about this.
RL "Bob" noted that U-Washington has been exploring putting campus groups into Google Apps and there are many lessons learned that would good to share.
U-Washington is working w a company called Nolij ( http://www.nolij.com/  ) around admissions, document processing and software as a service.
Rob will soon address his action item of getting the caBIG use case into the use case wiki. TomD suggested that If anyone knows about documentation on access management in the big science orgs, please put a link on paccman wiki. TomD has a contact at Pittsburgh supercomputing center and has a meeting with them next week. He is not sure they will want to talk about authorization.

MACE-paccman WG at Internet2 SMM

TomD asked, does anyone want to present info from their campus at the MACE-paccman WG session at Internet2 SMM?

Michael could take 3 minutes to talk about the current state of perMIT. Possibly Paul could present if Paul is at SMM and if Michael is not in attendance.
Chris suggested that some Grouper access management topics could be on the agenda at the paccman WG.
Review of the MACE-paccman Charter

Suggestion was made to have the MACE paccman charter reviewed on an upcoming MACE call.

RL "Bob" suggested the Feb. 14 MACE call for this

[AI] (TomD and SteveO) will work with RL "Bob" on getting the MACE-paccman charter reviewed on an upcoming MACE call
Q: What kinds of changes in the charter might be needed? What precipitated this?

A TomD: Thoughts are:

We may not be fulfilling our education/outreach goals around priv. and access management.
Should we have a more structured relationship with Shibboleth and Grouper, in order to build on existing efforts? (Those groups -- and MACE-Directories WG -- are both dealing w priv. and access management issues.)
Should paccman look at more specific issues around cloud services and authorization?
The paccman glossary and the use case library were good work in themselves, but next steps are not clear
Rob agreed that we should look at access and priv. management as part of other efforts, not as a stand-alone entity.

Would it make sense for other groups to refer some of their privileging and access management issues to the MACE-paccman WG?
It was noted that by devoting the last ten minutes of each MACE-paccman call to updates from other working groups, we hoped to encourage the cross-pollination of ideas and efforts.
Chris: Like the idea of using the MACE-paccman WG to tackle issues that involve multiple projects that are not being handled in the individual projects, such as XACML policy engine exploration and Grouper/Shib integration.

It was stated that policy-based permission management is one of the hardest problems.

Clemson people remarked:

They are looking at XACML, how things fit together and how to get the most out of these calls.
They hope to attend the Advance CAMP in Colorado.
They are interested in interoperability and how to make different parts pluggable
Need a standard way to ask questions around policy and enforcement, a standard API
Groups are an answer for many questions, but not all
They have Shib installed but are not far along in the federation process.
Would like a unifying vision of authorization, provisioning, authentication, storing identities.
They have found the MACE-paccman glossary helpful.
Q: Is Advance CAMP a good format to work through these issues?

https://spaces.internet2.edu/display/ACAMPIdSummit2011/Home

A: RL "Bob" said

Advance CAMP will use an unconference format.
The first afternoon is a time for people to get up and make their pitch for a topic of interest to the whole group.
The rest of the meeting is an unconference format where sessions are set up on the fly basd on topics people brought up the first afternoon, under the general umbrella of identity services for supporting application needs.
If there is a session you would like to see, such as "Effective use of XACML in higher ed authorization management," then you’d make that a session or if it doesn't become a session, hopefully there would be enough people to talk about it in the hallways.
Some Clemson folks will also attend the Internet2 SMM.

Updating the MACE-paccman Website

TomD stated that it would desirable to redo/update the paccman website

http://middleware.internet2.edu/paccman/

Ideas:

Add graphics
Promote future MACE-paccman topics on the website (we'd have to know what the WG is going to be doing)
Make prominent links to the work on the wiki (the glossary, use cases, etc) using boxes and other graphical elements.
[AI] (All) post on list any ideas of what should be highlighted on an updated MACE-paccman website

Next Call: Thursday, 17-Feb-2011, 1 pm ET