MACE-paccman Call 31-March-2011

Minutes: MACE-paccman Call 31-March-2011

Attending

Keith Hazelton, U. Wisc - Madison (Co-Chair)
Tom Dopirak, CMU (Co-Chair)
Mark Scheible, NC State
Tom Zeller, U. Memphis
Chris Hyzer, U. Penn
Benn Oshrin, Internet2
Ann West, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

New Action Items

[AI] (Keith) will investigate and report back to the paccman list
on licensing policy terms for the Axiomatics Policy Server

[AI] (Keith and Charlotte) will preview the Axiomatics Policy
Server.

The following action items apply to the Priv. and Access
Management Recipes on the wiki:
https://spaces.internet2.edu/display/macepaccman/Privilege+and
+Access+Management+Recipes--A+Discussion-starter+Draft

[AI] (Keith) will work on this section on privileges:

* Are the definitions in the glossary good enough or are
their others that are more widely accepted?
* MACE documents ( Grouper) vs other standards groups

[AI] (Keith) will work on this section on policy:
* policy, a generic model
* P*P architectures: proposed models,
* Application policy, enterprise policy, VO
policy
* case studies - bamboo

[AI] (TomD) will work on this section on namespace issues:
* What is the namespace ( URIs vs URNs) and object
characteristics for privileges
* What are the special problems in namespace choice?

[AI] (Chris) will work on the section on choosing the approach
( groups and roles versus privileges)
* Using groups and roles vs privileges, how to choose,
simple access management, centralized vs distributed.
Note: you can mix and match between these strategies in
one application

[AI] (Chris) will work on the section on group, role and role
hierarchies
* group, role and role hierarchies, draft proposal for
MACE-wide model and definition

=============

DISCUSSION

Axiomatics Policy Server

Keith reported that the effort to set up the Axiomatics policy
server is moving along. Points of contact will be Keith at
UW-Madison and Charlotte at Penn State.

Q: How does Axiomatics license their policy server?

Keith will find out and report back.
[AI] (Keith) will investigate and report back to the paccman list
on licensing policy terms for the Axiomatics Policy Server

==============

SMM Track Session on Authorization and Design

For the SMM track session on Authorization and Intelligent Design
http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001721&event=1035

* Keith plans to cover the big picture and overlay the P*P
items.
* Keith will reference some of the MACE-paccman use cases.
* Keith may talk about early experiments with Axiomatics
Policy server and how to turn English Language policies
into XACML.
* Keith may challenge Roland to see how turning English
language policy into XACML compares with turning English
language policy into a S-expression for
SPOCP. http://www.spocp.org/

* TomD hopes to discuss the requirements/wishes for how
stakeholders plan to use an HR system, including access,
workflow, etc.
* TomD, Keith and Roland plan to get together on a Skype
session to do more planning for this SMM session. Others
who are interested should get in touch.

==============

Privilege and Access Management Recipe Work

https://spaces.internet2.edu/display/macepaccman/Privilege+and
+Access+Management+Recipes--A+Discussion-starter+Draft

TomD noted he modified the original outline recipe on the wiki,
for example to reflect that key definitions (for group, role and
role hierarchies) already exist in the paccman glossary at
https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary and perhaps in other project glossaries.

[AI] (Keith) will work on the glossary definitions issue:

* Are the definitions in the glossary good enough or are
their others that are more widely accepted?
* mace documents ( grouper) vs other standards groups

Concerning pull provisioning, TomD added to the outline the
concepts of "LDAP , privilege registry or webservice for pull
provisioning, is there existing MACE-Dir work to build on?"

TomD also added an item on URIs vs URNs

[AI] (TomD) will work on this section on namespace issues:
* What is the namespace ( URIs vs URNs) and object
characteristics for privileges
* What are the special problems in namespace choice?

Keith will work on the generic model for policy; this topic area
coincides with other work he is doing, for example with Axiomatics
Policy Server

[AI] (Keith) will work on this section on policy:
* policy, a generic model
* P*P architectures: proposed models,
* Application policy, enterprise policy, VO
policy
* case studies - Project Bamboo

Chris expressed interest in working on groups and roles vs
privileges.

[AI] (Chris) will work on the section on group, role and role
hierarchies
* group, role and role hierarchies, draft proposal for
MACE-wide model and definition

Comments:

* Chris noted that Grouper has a web service for attribute
delivery.

* FIFER has not yet talked about and API for attributes, but
FIFER is going the direction of URIs for groups and
privileges. https://wiki.jasig.org/display/FIFER/API

* Mark stated that it would be good to have some examples
that show the different approaches to particular
challenges, to distinguish why to go down a particular
route.

* Mark: it could be helpful to look at how much of access
management is centralized versus how much is distributed
to the applications

* Chris commented that there are ways to use various
combinations of using roles / privileges / groups to solve
access management issues

* TomD: the Grouper developers have done a good job of
thinking through many of these issues. Paccman should feed
ideas back to the Grouper effort

* One of things that MichaelG mentioned concerning the
LDAP recipe: it’s valuable to talk about what is actually
in operation somewhere; show actual Issues and tradeoff

* Does anyone have experience with Drools?
* Chris has installed Drools, but Grouper went in a
different direction.
* Mark noted that Aegis IdM Suite uses Drools

* XMPP
* Keith questioned Chris about Extensible Messaging
and Presence Protocol (XMPP)
* Chris noted that XMPP is used at Penn, Cardiff,
and NYU.
* It's a protocol for push provisioning
* It's a messaging protocol, often being run for
chat
* Can be used with XML or JSON
* Instead of XMPP, using JMS with AMQP (Advanced
Message Queuing Protocol) is another approach

==============

Moving Forward with the Recipe

https://spaces.internet2.edu/display/macepaccman/Privilege+and
+Access+Management+Recipes--A+Discussion-starter+Draft

* Folks are encouraged to go ahead and add information/ideas
to the recipe page of the wiki.

* Do not delete others' work on the recipe page, just use
strikethrough if needed.

* In filling out the recipe, there is no need to be
encyclopedic. Good to be pragmatic.

==============

Updates from Other Projects

Chris noted the hope is to demo the Grouper Attribute UI or
Privilege UI at the Grouper WG at SMM (Monday, April 18, 10:30am
in Salon A)

==============

2011 Spring Member Meeting

MACE-paccman Working Group scheduled for: April 18, 2011, 12:00 PM
- 1:00 PM http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001793&event=1035

Session on Authorization and Intelligent Design April 19, 2011,
4:30 PM - 5:30 PM
http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001721&event=1035

Link to all Middlware Sessions and Focus on Federation Sessions at
SMM: http://events.internet2.edu/2011/spring-mm/agenda.cfm?tracks=87&tracks=56&types=&details=

Next MACE-paccman meeting: Face-to-Face at Internet2 Spring Member Meeting, Monday, April 18, 2011

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook