Versions Compared

Old Version 2

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 3

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Groups and Roles in CO Context

Comments included:

Wiki MarkupDefinitions:

  • A

...

  • group

...

  • is

...

  • a

...

  • collection

...

  • of

...

  • things.
  • Roles – a set of duties that go with a position

StevenC: In a permission system, groups are one of the things that can get mapped to roles

A position (job title) can also get mapped to a role

Benn: the COmanage development effort does not currently include the objective of doing something with roles. We need requirements before we deal with roles.
TomB: Grouper incorporates the NIST RBAC model   Roles -- a set of duties that go with a position StevenC: In a permission system, groups are one of the things that can get mapped to roles A position (job title) can also get mapped to a role Benn: the COmanage development effort does not currently include the objective of doing something with roles. We need requirements before we deal with roles. TomB: Grouper incorporates the NIST RBAC model   [http://csrc.nist.gov/groups/SNS/rbac/

] RBAC includes notions of role hierarchy and inheritance

Wiki Markup
 inheritance
 \[AI\] (Keith) will make sure that the COmanage glossary covers roles and groups accurately.

https://spaces.at.internet2.edu/display/COmanage/Glossary

Status Update (Benn)

  • Benn has added new items to COmanage JIRA https://bugs.internet2.edu/jira/browse/CO
  • A lot of the JIRA items resulted from the recent conversations with LIGO
  • Code is in SVN -- there is an anonymous SVN and an authenticated access SVN
  • The anonymous SVN may lag behind the authenticated SVN
  • The code corresponds to the demo running on Benn’s laptop
  • Will move the COmanage demo to the Internet2 servers soon
  • Benn is currently working on COmanage Gears (profile management)  
  • Focus is on getting institutional identity and correlating that with the CO identity.

Q: Keith: Does COmanage Gears currently rely on some implementation of registry and/or Grouper?

...

Question: Is what VOs need in the social identity area simpler or different from what brick and mortar institutions need?

Jim: it depends. At Penn State, we are bricks and mortar but spread over 24 location but we have a strong central identity, so can organize Penn State VOs without Shib. But at other institutions, it's possible that they need Shib to make the institution more amenable to cross-unit collaborations

StevenC stated that there are three categories of use cases driving the social identity discussion:

...

Push Vs Pull Issue Raised on International Collab Call of 3-March-2011

  • There  was discussion on the International Collab call of different collab management platforms
  • Leif said Comaange is a push platform, whereas other models are pulling info
  • This is set on the background of the Blakely article and idea that the future is pull, http://mms.businesswire.com/bwapps/mediaserver/ViewMedia?mgid=237020&vid=1
  • There may be some perception of traditional Enterprise IdM where there is a central repository of info that gets pushed out to other systems that the central enterprise can thereby control.
  • This perception is connected to central planning (push) and free market (pull)
  • There are not currently apps that support the pull model, so it's hard to imagine it working in the near future
  • An alternative for IdM folks is to offer an open service, but not sure how that relates to the VO scenarios
  • Leif was talking about applications that can dynamically generate a query during processing. A kind of late binding, not something that happens at logon time. No applications do that today.

What we do see now in attribute aggregation is this scenario (Steven has a working demo for GENI that does this):

  • I have a campus ID and I am a member of VO1
  • VO1 has a portal, that serves as a front end for a device I can use.
  • I login to the portal, using my campus ID,
  • The portal is configured to query VO1
  • VO1 provides info about my permissions.
  • The portal agregrates what the campus provided and what VO1 provided
  • That can be called reputation building.
  • Steven noted that in case of GENI work, we might spit out x509 certificates into GENI space from COmanage, so there will be a single root for the commands coming into the apps from COmanage.

But is having COmanage as a broker going to simplify the trust process for the application?

...