Signet Call 7-Nov-08

**Signet Call 7-Nov-08**

**Attending**

Mike Olive, Stanford (chair)
Dave Donnelly, Stanford
Chris Hyzer, U. Penn
Rob Carter, Duke
Michael Gettes, MIT
Datta Mahabalagiri, UCLA
Warren Leung, UCLA
RL "Bob" Morgan, U. Washington
Tom Barton, U. Chicago
Renee Frost, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

**New Action Items**

[AI] (Bob) will take the next steps to establish a new discussion venue for privilege management directions.

[AI] (TomB) will create a straw man on privilege management requirements.

**Carry Over Action Items**

[AI] Dave and Mike will focus on these priorities in wrapping up the current phase of Signet:

- web services interface (RESTful style)
- hooks and plug-ins example
- knowledge sharing with the Grouper and COmanage teams
- integration with EDDY

**Discussion**

- Privilege Management Survey

Rob reported that the privilege management survey was emailed to the Educause IdM list with a stated deadline of December 15, 2008. There have already been some responses.
https://wiki.internet2.edu/confluence/display/SignetWG/Privilege+Management+Survey

- New Venue for Privilege Management Discussion

It was suggested on a recent MACE call that a new venue -- not associated with the Signet product -- be established for discussion of authorization and privilege management issues. There was general agreement that this is a good idea.

[AI] (Bob) will take the next steps to establish a new discussion venue for privilege management directions.

- Discussion of Possible Future Directions

Advantages and disadvantages were discussed of implementing privilege management as a layer on top of Grouper.

Chris supported adding some privilege management capabilities into Grouper. A possible approach would be to allow attributes -– representing privileges or authority level -- to be attached to Grouper Grouper stems, groups, members, memberships, and other attributes.

Chris noted that this approach could handle the privilege management use case at Penn.
https://mail.internet2.edu/wws/arc/signet-dev/2008-10/msg00007.html

Chris also remarked that ease and speed of implementation, ease of adoption and use could be increased if privilege management is integrated with Grouper.

Michael expressed concerned that things become muddled if we talk about Grouper and privilege management. Michael opposes the approach of layering privilege management on top of Grouper as a primary direction for addressing privilege management within MACE. It still could make sense to incorporate some privilege management capabilities into Grouper, if this is needed to make Grouper more viable. Michael noted that ERPs need privilege management but don’t use groups.

TomB and Chris noted that if Grouper is used for privilege management, a group of one could be created internally to assign privileges to individuals.

TomB stated that he plans to write up a functional specification of capabilities.
[AI] (TomB) will create a straw man on privilege management requirements.

Bob mentioned the goal of working in some coordination with the KIM (Kuali Identity Mgmt.) project. https://test.kuali.org/confluence/display/KULRICE/KIM+Overview

Bob observed that much privilege management involves organizational scope structures and designations. Some of the structures are closely related to how privileges are assigned and evaluated, but are potentially independent systems.

TomB noted that there is no way to cram everything from privilege management into Grouper. But there is a need to manage privileges, even when individually assigned, and having groups available can be a value. The ability to assign a privilege to a group is an obvious functional requirement.

Tom and Michael agreed that terminology is important in how things are perceived.

MikeO mentioned the advantages of getting application developers to go to LDAP to get privilege data. Regardless of whether privilege management is in Signet or in a roles database, if privileges are written to one external location, then it’s a single place to go to.

Stanford Plans for Privilege Management

MikeO received confirmation that in April of next year Stanford will move ahead with replacing the current authority system engine with a Signet engine. They will be porting the UI on top of the Signet engine.

Emily Eisbruch, Technology Transfer Analyst
Internet2
emily@internet2.edu
office: +1734-352-4996 | mobile +1-734-604-5562

LHC: Boldly going where no science has gone before.
Internet2: Warp-speed networking to get there.
http://internet2.edu/science