MACE-paccman Call 30-Jan-2009
**Attending**
Tom Dopirak, CMU (chair)
RL "Bob" Morgan, U. Washington (acting chair)
Tom Barton, U. Chicago
Rob Carter, Duke
Klara Jelinkova, Duke
Chris Hyzer, Penn
Chris Phillips, Queens University
Michael Gettes, MIT
Albert Wu, UCLA
Renee Frost, Internet2
Ann West, EDUCAUSE/Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)
*Action Items*
[AI] (Bob) will tweak the MACE-paccman charter based on the discussion on the WG call.
[AI] (TomD) will send to the list a link for Kuali’s description of their authorization service.
https://mail.internet2.edu/wws/arc/signet-dev/2009-01/msg00013.html
[AI] (SteveO) will setup the wiki space, website, and mailing list for the new MACE-Paccman working group and send info to the list when ready.
[AI] (Klara and Rob) will develop and make available a summary of the privilege management survey (part 2) results. (SteveO) will work with them to enable working group access to the survey data.
[AI] (All) wanting editing access to the new MACE-Paccman wiki space review the access instructions at http://middleware.internet2.edu/docs/internet2-spaces-instructions-200703.html.
*Discussion*
Resources
The document Albert prepared on mapping of XACML and Signet terms is on the wki:
https://spaces.internet2.edu/display/macepaccman/MappingXacmlSignetTerms
Albert explained that this work is a response to a conversation and action item from the 16-Jan-09 call. This is one attempt to make sense of how terms are used in different products. It could potentially lead to using XACML terminology for future architecture work.
TomD mentioned some interesting Kuali work in the Identity Management space.
[AI] (TomD) will send to list a link for Kuali’s description of their authorization service. https://mail.internet2.edu/wws/arc/signet-dev/2009-01/msg00013.html
Privilege Management Survey
Klara mentioned that she and Rob are ready to wrap up the Privilege Management survey, having received about 30 responses. Twelve responses were received from the first round, which targeted mature sites (those with some privilege management experience) sites. Then there were 15 more survey responses received from phase two of the survey, which reached out to the larger EDUCAUSE IdM list.
The first set of results (from the mature sites) has already been summarized. Now Klara and Rob need to summarize the phase two responses.
[AI] (Klara and Rob) will develop and make available a summary of the privilege management survey (part 2) results. (SteveO) will work with them to enable working group access to the survey data.
Working Group Charter
There was a wide-ranging discussion of the proposed MACE-paccman working group charter.
https://spaces.internet2.edu/display/~rlmorgan@washington.edu/MACE-paccman+draft+charter
TomD suggested that there could be value in listing lessons learned from Signet.
TomD also remarked that the team at Carnegie Mellon found definition of terms useful in doing provisioning work, and he suggested that the new working group compile a glossary to clarify key terms.
The question was raised: should the charter state that the group will scope commercial product capabilities?
TomB suggested that we stick to the principle that we want there to be certain key capabilities present, off the shelf, for our community.
Klara suggested that the group could cull from the priv management survey what people want in access management and then see what’s fulfilled in various products.
Bob: Groups like ours doing product reviews are not very successful historically.
Klara: there are commercial offerings in the access management product space, but I’m not aware of places that have maturity of deployment of commercial priv. mgmt. products. Some institutions have done more targeted solutions (MIT, Stanford).
Chris noted that Queens University is implementing Sun Microsystems access management products. They have hired a consultant from Sun Professional Services to help with that process and understanding best practices. But if the team at Queens University had been able to find best practices guidance online (e.g. on synchronizing IDs to Active Directory), that would have been good.
Chris noted that there are issues with the organizing an institution around a solution. He mentioned the use case of centralizing group mgmt --- orchestrating it is a challenge.
Bob: this leads to the notion of creating a high level roadmap.
Michael: common terminology is important.
Albert noted he has been hearing several different implied meanings of what access management means. These include:
1. Roles and groups are propagated to applications or systems. The systems make the decisions on what to do with those. There is no centrally enforced definition of what a role can do.
2. The notion (found in XACML) that access is a centrally-defined precise thing specifying a user’s authority to perform a certain action on a certain resource.
3. Combinations of these approaches.
Different institutions have different levels of maturity. Should we take a shot at standardizing those things?
TomB : We can try to reduce ambiguity. Over time we can influence how people talk.
Bob: Defining terms means modeling the problem space/domain.
Klara: the diagram that MACE developed in 2007 is a good start. Ann sent the diagram around to the group:
https://mail.internet2.edu/wws/arc/signet-dev/2009-01/msg00011.html
[AI] (Bob) will tweak the MACE-paccman charter based on the discussion on the WG call.
Working Group Name
The group agreed that MACE-paccman is a fine name for the working group. Bob explained that the two “C”s in paccman are because Google has a Pacman module, so the two “C”s help differentiate from that.
[AI] (SteveO) will setup the wiki space, website, and mailing list for the new MACE-Paccman working group and send info to the list when ready.
[AI] (All) wanting editing access to the new MACE-Paccman wiki space review the access instructions at http://middleware.internet2.edu/docs/internet2-spaces-instructions-200703.html.
Bob stated that Tom Dopirak has agreed to chair the working group and it would be excellent to also have a co-chair.
Next Call: Friday, 13-Feb-09 at 11am ET