Minutes: MACE-paccman call 7-July-2011
Attending
Keith Hazelton, U. Wisconsin (co-chair)
Tom Dopirak , CMU (co-chair)
Tom Barton, U. Chicago
RL "Bob" Morgan, U. Washington
Rob Carter, Duke
Mark Scheible, MCNC
Chris Phillips, CANARIE
Jimmy Vuccolo, Penn State
Chris Hyzer, U. Penn
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)
=========
New Action Item
[AI] (Rob) provide ChrisH with feedback on the Grouper limits work, with reference to the MACE-paccman use cases.
=========
Carry Over Action Items
[AI] (TomD] will integrate Gartner use case classification into MACE-paccman use cases.
[AI] (TomD and Heather) - MACE glossary work, first meeting on Friday, July 8
[AI] (Keith) will investigate and report back to the paccman list on licensing policy terms for the Axiomatics Policy Server
[AI] (Keith and Charlotte) will preview the Axiomatics Policy Server.
[AI] (Keith) will work on the section on policy in the recipe: https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft
• policy, a generic model
• P*P architectures: proposed models,
• Application policy, enterprise policy, VO policy
• case studies - bamboo
=========
DISCUSSION
=========
Permission Limits and the built-ins for Grouper 2.0 (Chris Hyzer)
https://spaces.internet2.edu/display/Grouper/Permission+limit+builtin+implementations
• A limit in Grouper is a runtime decision based on environment variables
• Environment variables can be passed from the caller if it's a web service call
• Chris has provided some built-in limits
• The built-ins can be used as examples and then deployers can tailor them for their own needs
• Built ins include:
• "only give access during weekdays 9-5" limit
• "amount less than" limit
• "amount less than or equal to" limit
• IP Address on Networks limit
• IP Address on Networks Realm limit
• Use expression language JEXL (This allows a scriptlet in expression language to do pretty much anything you want, though it can be complex for non technical people set it up.)
A limit attribute could be attached to a
• permission assignment
• a role
• an individual in a role
TomD remarked that Grouper uses roles in a slightly different way than others have talked about roles. In the past, a Role is a shorthand for a collection of permissions, it was not a collection of people. But a Grouper role is combination of a group and a paccman role. Probably the Grouper way makes sense, but it does not express the majority opinion. Should we use the term "Grouper Roles" ?
Keith: the revised definition of Role in the MACE-paccman glossary does fit well with the Grouper usage of the term role.
See the glossary at https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary
ChrisH stated that his use of role is by job function (e.g. payroll administrator). Could have multiple subjects assigned to a role.
Keith : We don't have a single-word name for the collection of privileges associated with the place in the org chart. That is worth thinking about.
TomB: The NIST definition calls that place in the org chart a "node in the hierarchy." Also, the NIST RBAC definition of Role is consistent with the way Grouper uses the term Role.
TomD: Chris's model adds flexibility to the XACML notion of an information point. In Chris's approach, you can provide the data or it can be fetched. This is good:
sometimes you don't want the policy inside the caller.
- A shared namespace is not explicitly facilitated in the current version.
- Trying to preserve some simplicity.
Q: Are there other built-in limits we should be providing?
It was clarified that many of the MACE-paccman use cases can be implemented without using limits.
For example for deprovisioing, or for beginning and ending dates, it's better to use other features of Grouper, such as Grouper Rules.
Limits are for run-time situations.
[AI] (Rob) provide ChrisH with feedback on the Grouper limits work, with reference to the MACE-paccman use cases.
Q: Does the model allow resources to be members in group?
A: Chris: A resource can be assigned to a role (with an action such as read/write), and then any subjects assigned to the role have the defined permission (read/write) to the resource.
Q: Rob asked about the use case of "this collection of people in this role should have access to this data about all the people in this group"
A: Chris: This (permissions for a group in a role) is not implemented yet
Rob commented that perhaps an opt-out could be used. Chris suggested using Java and caching in memory the opted out cases
Q: ChrisP notes that limits are for a point in time evaluation. Will there be a lot of chatter (possibly affecting LDAP) at evaluation time?
A: ChrisH: Grouper attributes are stored in point in time. This can be pruned later. Can use a bulk load or can use Grouper notifications when there are many changes.
=========
Allow / Deny in Grouper
Chris summarized:
a. Integrated allow/deny
b. Analyze assignment to see why allow or not
c. Assignments to roles (used to only be able to assign to users)
d. Build to the 2.0 demo server for all to see
https://grouperdemo.internet2.edu/
https://spaces.internet2.edu/display/Grouper/Grouper+external+users+on+demo+server
e. Implemented all the allow/disallow use cases for screen movies (common setup is 6 minutes, the rest are 2 minutes)
f. Lite UI main menu for easy navigation
=========
Update on SCIM protocol development and (de)provisioning (ChrisP)
- https://spaces.internet2.edu/display/macepaccman/SCIM
On June 27, 2011, ChrisP gave a presentation on SCIM to the MACE-DIR WG. See
http://www.slideshare.net/teamktown/scim-a-participants-perspective-internet2-macedir-briefingscimmacedir20110627
There will be more discussion at the upcoming Cloud Identity Summit in Colorado, July 18-21. ChrisP will keep this group informed.
=========
Open Source IdM Preliminary Discussions
RL "Bob" reported that discussion continues between various organizations looking at the possibility of assembling some coherent Open Source IdM suite. This was discussed at the Jasig/Advance CAMP gathering in Westminster, CO in May. Discussions will continue in August.
=========
Next call: July 21, 2011 at 1:00pm ET