*Action Items*
New
[AI] {Lynn} will write up a person and function summary to express the relationship of privileges to roles and to determine what gets expressed in the eduPerson entitlement space.

Carry Over
[AI] {Group} will via the list begin compiling scenarios to be used as potential use cases.
[AI] {Keith} will summarize naming discussion and make proposals to begin defining privilege, task, function, etc.
[AI] {Chris} will contact Minh to discuss the technology managing the user experience within Signet.
[AI] {Minh } will contact Shibboleth developers to discuss UI technology management.

*Participants*
Lynn McRae, Stanford University (Chair)
Jennifer Vine, Stanford University
Shelly Henderson, University of Southern California
Bob Morgan, University of Washington
Brendan Bellina, Notre Dame
Mark Jones, University of Texas - Houston
Andy Cohen, Stanford University
Andrea Beesing, Cornell University
Terrie Clark, Internet2 (scribe)
Steve Olshansky, Internet2
Ann West, EDUCAUSE/Internet2

*Discussion*

The CFP for early adopters has gone out. The published end date for responses is Friday, September 10, but there is flexibility.

What is the definition of assignment in Signet? An assignment in Signet has two pieces. One is the grantee or recipient of privileges. The other is a function. A function in Signet is one or more permissions that need to be sent together to make the granting of the privilege work. Everything else about the assignment (scope, limit values, etc.) changes over time. However, the grantee and function cannot change. Otherwise, by definition it is a new assignment. This is important because it is where institutional roles and privilege-based roles converge. An institutional role is something that is well defined within the enterprise such as 'faculty.' It may pre-exist and it is the target of privilege assignment. A privilege-based role is an ad hoc role defined by the individuals who share a certain kind of privilege. Apart from any qualifiers like limit or scope, if a kind of privilege exists, then it is an ad hoc role. An example from a financial system is an 'approver' approving up to a certain dollar limit. Knowing that an individual is an approver is almost indistinguishable from other kinds of institutional roles. An assignment to a privilege defines a function. An institutional role might be an instructor. It does not matter in what college or for what class. Signet will identify individuals who serve the institution as graders, thus creating an ad hoc role of grader that can be understood separate from the role of an instructor. While all instructors are graders, not all graders are instructors. The grader function might have several permissions like access to files, login capability to student administration system to input grades, etc. It is important to define an assignment in Signet as associating an individual with a function and how that association is tracked through assignments in Signet. And, how changes to that over time create a history of privileges.

The Signet application will avoid a situation where an individual with a parallel privilege can change privileges of another individual. Permissions should not override each other, they should coexist. An individual using Signet will want to know the limits of each his/her privileges. These types of privileges are difficult to collapse because they usually have varying degrees of difference in other aspects like expiration date. Are we really focused on those kinds of limits that exist in a range? In looking at compression algorithms, one permission might be a subset of another and the lesser permission might drop out. Only when interfacing with another system will it know only to examine the higher permission. Signet will also decide if the more or less restrictive amount should be used.

This becomes significant when looking at group usage. Does the group have permission to spend $1,000? Or, $5,000? Does an individual have this permission from the group context? Or, from an individual context? The individual in this case has seemingly redundant assignments. An assignment won’t be blocked because of a similar assignment from a group. The Signet XML structure separately articulates in sections permissions granted from a direct assignment, a group assignment and a proxy assignment

How does a local system request authorization information from Signet? By provisioning the eduPerson attribute manager, so that an LDAP look up can solve authorization requests. There are limits to the ability to completely probe systems for everything needed to make assignments. Signet’s logic can evaluate two assignments. Signet needs to know if the permission being exercised is equivalent or lesser to the assigned privilege. Perhaps Signet can perform a quick comparison after the assignments are made to see if there is a subset of something else and if the privilege granting should be interrupted.

The group will continue to probe whether or not a function in Signet has equivalent weight to the role an individual plays.

The next call is Friday, September 17, 2004 at 11:00AM ET.