MACE-paccman Call 9-June-2011

Attending

Keith Hazelton, U. Wisconsin (co-chair)
Tom Dopirak , CMU (co-chair)
Billy Cook, Clemson
Jeremy Grieshop , Clemson
Mark Scheible, MCNC
Michael Gettes, CMU
Chris Hyzer, U. Penn
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

==================

New Action Item

[AI] (Keith) will add a link on the MACE-paccman wiki to the SCIM project info on the Project Bamboo site.

==================

Carry Over Action Items

[AI] (TomD] will integrate Gartner use case classification into MACE-paccman use cases.

[AI] (Keith) will investigate and report back to the paccman list on licensing policy terms for the Axiomatics Policy Server

[AI] (Keith and Charlotte) will preview the Axiomatics Policy Server.

[AI] (Keith) will work on the section on policy in the recipe: https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft
• policy, a generic model
• P*P architectures: proposed models,
• Application policy, enterprise policy, VO policy
• case studies - bamboo

==================

DISCUSSION

==================

Glossary Coordination

• TomD noted that Heather's COmanage glossary and Chris Hyzer's definitions at https://spaces.internet2.edu/x/vAh3AQ seem to mostly align.
• Some glossary terms discussed at Advance CAMP in Colorado are found at: https://spaces.internet2.edu/display/ACAMPIdSummit2011/Permissions+Management+UX+and+UI+Issues (see the bullet titled "MRG Definitions")
• TomD presented the idea of privileges for peasants, a simpler glossary
• Keith suggested that it would be good to agree on a term for qualifier/scope/limit/boundary
• There can be a difference between "condition" (which can be on an access rule) versus "scope" (which can related to the metadata on the resource)
• TomD noted that he and Rob had started looking at the paccman use cases with attention to qualifiers that can be determined statically versus qualifiers that should be determined in real time.
• Glossary issues will be discussed more on a future paccman call.

===========================

Groups, roles, privileges, and external authorization (Chris Hyzer's recipe work)

https://spaces.internet2.edu/display/macepaccman/Privilege+and+Access+Management+Recipes--A+Discussion-starter+Draft

The recipe section ChrisH added discusses:
- using groups or roles
- using hard coded authorization
- external privilege management / central authorization systems (and caching considerations)

• There was a brief discussion of whether the word "privilege" or "permission" should be used.
• In the recipe work, ChrisH used the work "privilege" as suggested in the paccman glossary at https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary
•
• What is the best way to describe the practice of using a group as if it were a role?
• Chris agreed to remove the concept of "virtual role" from the recipe, as it was considered too confusing
• The new wording states: "When applications protect resources by checking if the authenticated user is in a group, they are essentially using a group as if it were a role"
•
• TomD suggested that sometimes we confuse privilege management with the basic terminology of privileges and that using set math could make things easier (though it was agreed that the set math approach would not make it into the simple, "peasant" glossary)
• Tom added notes about the set math approach in the recipe.

============================

Grouper Allow / Deny

https://spaces.internet2.edu/x/bYaKAQ

See youtube video at : http://www.youtube.com/watch?v=Ef8IKFXQTro

Chris reviewed how Grouper is moving forward with Allow / Deny , based on discussions at Jasig and Advance CAMP

• The deny is referred to as "NotAllow"
• The NotAllow is only used if you want to make a wide allow and then block a certain subset.
• If there is a strict hierarchy, things work as expected
• Without a strict hierarchy, there can be occasional times when things get confusing
• There is a UI to help explain what's going on in those cases
• A green (for an allow) or red (for NotAllow) button will be included on the UI. Clicking on this button will show the relevant inheritances.
• Eventually (post Grouper 2.0), the graphing software will show red or green for a pairing of certain user and a certain action

=================

Next Call: Thursday, June 23 , 2011 at 1pm ET

===================

Possible Agenda Items for next call:

- (de)Provisioning (de)bate (TomZ et al.)
https://spaces.internet2.edu/display/ACAMPIdSummit2011/Provisioning

- Discuss real-time attribute calculation with reference to the MACE-paccman use case tabulation (TomD and Rob)
https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation

- Glossary Discussion