MACE-paccman call 3-Sep-2009
**Attending**
Tom Dopirak, CMU (Chair)
Bob Morgan, University of Washington
Rob Carter, Duke
Ray Davis, UC Berkeley
Mark Scheible, NCSU
Paul Hill, MIT
Jim Repa, MIT
Vijay Konda, MIT
Michael Gettes, MIT
Chris Hyzer, U. Penn
Dan Seibert, UCSD
Paul Zeblosky UBC
Renee Frost, Internet2
Ann West, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)
*New Action Items*
[AI] (Paul) will define action in the glossary, and distinguish this from role.
[AI] (Paul) will add function to glossary, specifying if interchangeable with action, with note on capability.
[AI] (Paul) will add entries to glossary for qualifier, scope and resource.
[AI] (TomD) will change proposed definition of workflow to be more specific for authorization and privilege management.
[AI] (Bob) will take the MACE-paccman charter to an upcoming MACE meeting for review, reconfirmation or suggestions.
[AI ] (TomD) will add the topic of function and resource and qualifiers to a future MACE-paccman agenda.
**Carry Over Action Items**
[AI] (Everyone) review the definitions Paul has worked on for permission, privilege and policy.
https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary
[AI] (Michael Pelikan) will verify the glossary and taxonomy for self-consistency, trying to eliminate self-reference.
[AI] (R.L. Bob) will separate “assurance” from “authentication” in the glossary.
[AI] (Dan) will continue to fill out the taxonomy for KIM terms.
[AI] (Dan) will refine the definition of “responsibility” in the taxonomy and decide whether responsibility should be in the glossary.
[AI] (Paul and Chris) will look at definitions of “assertion” and “entitlement” in response to the request for examples or additional text.
[AI] (TomD) will review the definition of authority.
[AI] (Paul) will define “targets” and “resource” in the glossary.
[AI] (Rob) and (Paul) will look at Rob’s use cases and mapping to XACML.
[AI] (Andrew) will post his outline on uPortal Groups and Permissions on the wiki.
-- HELPFUL LINKS --
- MACE-paccman wiki:
https://spaces.internet2.edu/display/macepaccman/Home
- MACE-paccman Mailing List Archives
https://mail.internet2.edu/wws/arc/mace-paccman
**Discussion**
Back to school issues impacted Paul and Rob's ability to move forward on their action items.
Dan updated the comparative taxonomy for terms defined in the Kuali Rice KIM module. He hasn’t yet gone through and defined the remaining terms in the taxonomy, those that are not explicitly defined in KIM.
Dan stated that the term “permission” is used a lot in Kuali. It’s been deprecated in favor of the synonym “privilege” in the MACE-paccman glossary.
**Terms Action and Function**
Ray noted that permission has to do with a person, resource and action. Should there be an entry for “Action” in the glossary?
In Sakai 2, permission is action. Indicates a specific thing one can do in software (eg. “chat moderator” or “log poster” or “course grader.”)
There are complexities to how applications define actions. It’s problematic to come up with a vocabulary term for every action. Conflict between flexibility and usability must be managed carefully. There's a need to bundle “action” vocabularies.
Bob: the question relates to how granular to be. Possibly in handling permission and function, Signet was too granular.
Jim Repa: stating things at a high enough level so it’s understandable by business community is helpful.
At MIT, there are 1) rules based authorizations (access to library materials) and 2) individually managed authorizations (financial or HR).
Bob mentioned there could be a link to policy here too in terms of a requirement to use business language, NOT programmer language.
Q: Are action and function the same (and if yes, should we choose one) or are they different?
A: They are essentially the same, just pick one
UCSD often uses the term capability. Sun IdM uses the term capability also.
Chris: In privilege management, there are assignments between subject and resource and there are attributes. One attribute could be action, but perhaps there could be other kinds of attributes.
At MIT it’s a triplet: subject and function and qualifier/resource. XACML also has these triples.
Group needs to return to this topic in the future.
[AI ] (TomD) will add the topic of function and resource and qualifiers to a future MACE-paccman agenda.
[AI] (Paul) will define action in the glossary, and distinguish this from role.
[AI] (Paul) will add function to glossary, specifying if interchangeable with action, with note on capability.
[AI] (Paul) will add entries to glossary for qualifier, scope and resource.
**Defining the Terms Authority and Workflow**
TomD sent an email suggesting definitions for authority and workflow.
Bob warned against making an entire workflow glossary.
[AI] (TomD) will change proposed definition of workflow to be more specific for authorization and privilege management.
**Fall Member Meeting**
The MACE-paccman working group
Monday, October 5, 10:30 – 11:30am
http://events.internet2.edu/2009/fall-mm/agenda.cfm?go=session&id=10000853&event=980
The FMM working group session is a good chance to look at broader goals and where we
are we headed.
TomD: An item for the WG session at FMM is to determine a stopping point for working on the glossary. Next step for the working grouop could be to look into modeling. The glossary is in pretty good shape. The taxonomy may still need more attention.
Are there things on charter we should be working on and is the charter correct?
[AI] (Bob) will take the MACE-paccman charter to an upcoming MACE meeting for review, reconfirmation or suggestions.
**Updates from Other Efforts**
Sakai is moving forward on adding some very simple group management to functionality already available in the proof of concept software. They are also working on issues around having a pluggable application framework that integrates multiple communities.
Kuali released v 1.0. They are getting ready for installation with Kuali Financial System 3.0 in October.
Will integrate with Kuali Coeus 2.0 possibly in October.
Grouper: Tentative release date for Grouper 1.5 in mid November.
perMIT A new project plan is posted on the wiki at https://wikis.mit.edu/confluence/display/PERMIT/perMIT+project
Next meeting: Thursday, 17-Sep-09 at 1pm ET