MACE-paccman call 6-August-2009

**Attending**

Rob Carter, Duke (stand-in chair)
Michael Gettes, MIT
Paul Hill, MIT
Jim Repa, MIT
Vijay Konda, MIT
Paul Zablosky, UBC
Scotty Logan, Stanford
Dan Seibert, UCSD
Michael Pelikan, Penn State
David Bantz, University of Alaska
Ray Davis, U. California
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

**Carry Over Action Items**

[AI] (R.L. "Bob") will continue to pursue clarification of the Intellectual Property Framework for materials coming out of the MACE-paccman WG.

[AI] (Paul) will continue outreach and reminders re people’s assignments in completing the taxonomy.

[AI] (Paul) will add to the glossary a definition of policy.

[AI] (Rob) will put Service Interface Definitions on the MACE-paccman agenda for a future call.

[AI] (Paul) will choose either the term “permission” or “privilege” as the preferred term for the glossary and make edits accordingly. This is based on the agreement that the terms are loose synonyms and using both can be confusing.

[AI] (Rob) and (Paul) will look at Rob’s use cases and mapping to XACML.

[AI] (Andrew) will post his outline on uPortal Groups and Permissions on the wiki.

-- HELPFUL LINKS --

- MACE-paccman wiki:

https://spaces.internet2.edu/display/macepaccman/Home

- MACE-paccman Mailing List Archives

https://mail.internet2.edu/wws/arc/mace-paccman

**Discussion**

*Glossary and Taxonomy*

https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary

https://spaces.internet2.edu/display/macepaccman/MACE-paccman+comparative+taxonomy

- Chris added the Grouper terms "immediate" and "effective" to the taxonomy.

- TomD added Sun IdM terminology definitions into taxonomy.

- Paul did not yet have a chance to work on deconflicting the terms privilege and permission.

- Rob added Oracle IdM items into the taxonomy based on the Oracle IdM documentation. Rob noted that the Oracle application suite has multiple parts (e.g., Oracle Role Manager, Oracle Access manager, Oracle IdM) and all have a slightly different spin and use of terminology. Should there be one section in the taxonomy for Oracle in general, or should we split out different sub sections of the Oracle product suite? This question was not resolved on the call.

- Dan pointed out to the list that there is a link to KIM terminology at the bottom of the glossary page. This link goes to the Kuali Rice Confluence page with KIM glossary.
https://test.kuali.org/confluence/display/KULRICE/KIM+Glossary

Dan intends to edit the KIM glossary to add terminology related to responsibility of permission (something one is expected to do in their role).

Michael Pelikan commented he sees tremendous value in the taxonomy as it is developing. There is a need for creating controlled vocabularies so vocabulary works across institutional boundaries. He still hopes to work on the ontology (first mentioned at Advanced CAMP) sometime in the future. There are limitations of we can be represented in LDAP. Something 3 dimensional may be helpful.

*Terminology Discussion*

Ray commented on the use of the term “role.” Sakai uses the word “role” for translating or mapping from one context to another and for integration to external systems. KIM has roles mapped to online community roles mapped to application specific permissions. Ray would like to see reduction of terms, with integration as a central concern.

Suggestion that beyond the current work on the taxonomy, MACE-paccman should eventually work on and propose:

- new suggested defacto standards
- standardized attribute definitions in the area of roles and responsibilities.

Such efforts can help with integration of applications.

Ray said that the IMS Learning Info Services Group is attempting to develop suggested LDAP attribute findings for SIS registrar type data. This could be a good starting point, though they are finding the world of LDAP attributes to be a bit restrictive.

*Burton Catalyst Conference*

Scotty attended the Catalyst Conference. One interesting aspect was a demo of SAML 2 and Web SSO interrupt. A group called PivotLink does business reporting as a service. They take attributes from SAML 2 assertions and map to certain privileges inside their system.
http://www.pivotlink.com/news-a-events/news-a-events-overview/103-pivotlink-eliminates-the-security-barriers-to-cloud-based-business-intelligence

*Updates from Working Groups and Projects*

There are some InCommon discussions involving passing entitlement info in Library services
Dave Kennedy from Duke is involved with that work.

perMIT and rolesDB: They are ready to start creating the sample data for packaging. As mentioned last time: they are seeing some performance issues and so evaluating a later version of MySQL.

Kuali: On the Rice project, they are preparing for 1.0 release by end of month or early in September.
Working on a few JIRA items/ bugs. Working on packaging and cleanup of KIM module.
Working with Innovative, working on user guides and technical docs.
Kuali Days 8, Nov 17-18 in San Antonio is open for registration

Sakai: Ray reported that at the Sakai annual conference, there was a lot of energy going into interviewing people for use cases. One of the projects Ray is working on – the Groups and Roles part of Sakai 3 - now has staffing and project space. For portfolio systems, Ray is meeting with people working on Kuali at Berkeley around Kuali course management and the overlap.

Ray forwarded this information on Sakai:
“The working space for the Sakai 3 Groups-and-Roles project is:
http://confluence.sakaiproject.org/display/GROUPS/
Child pages include authz integration needs as described by representatives from many different environments."

*Internet2 Fall Member Meeting Reminder*

Internet2 Fall Member Meeting is October 5-8 in San Antonio. The MACE-paccman working group will meet on Monday morning, October 5.
http://events.internet2.edu/2009/fall-mm/index.html

Next Call: Thursday, Aug 20, 2009, 1pm ET