Access Management Team Meeting Minutes
Date: 10/24/2011
Attendees:
Person | Attended |
---|---|
Tom Barton | |
Jacob Farmer |
|
Scott Gibson |
|
Chris Hyzer |
|
Jimmy Vuccolo |
Agenda
1. Note taker, agenda bash
2. AI review
(not done) AI: Scott to add the Kauli requirements to the wikispace.
(not done) AI: Jimmy to review the PACCMAN use cases to determine if there are any relevant requirements.
3. Go through requirements (& use cases) and indicate whether grouper/KIM meets each
4. Take first stab at scope of work stream proposal
5. Else
Tom
NOTES
Grouper/Rice requirement support
- GRP_0100 PSU The groups system shall support the establishment and maintenance of standing groups based on data from System(s) of Record (SoR).
- Grouper supports this from the SQL loader
- Rice allows implementers to implement the Group service interface to make a SQL call with Java
- GRP_0120 PSU The groups system shall provide a distributed and delegated groups management function.(Requires deep namespace)
- Rice allows group permissions, but not distributed delegation where you do not need to contact central IT
- GRP_0140 PSU The groups system shall support the publishing of groups information to other systems (LDAP, Active Directory, and so on).
- Grouper has LDAPPCNG to provision group/permission information
- GRP_0160 PSU The groups system shall support the construction of dynamic groups.
- Grouper has the grouperLoader to load groups from LDAP
- Rice allows implementers to implement the Role service interface to make a JNDI call with Java
- GRP_0200 PSU The groups system shall provide an auditing facility for all changes to groups/memberships.
- Grouper has user auditing and point in time auditing
- Rice has workflow auditing (similar to user auditing)
- GRP_0210 PSU The groups system shall provide a notification facility that user's/system's can subscribe to for group changes.
- Grouper allows rules to send email notifications, or the change log sends system events / XMPP
- GRP_0230 PSU The groups system shall support the construction of a group from the members of other group(s) (group math).
- Grouper has intersection and minus
- ROL_0110 PSU The roles system shall support three types of roles: basic, assigner (assigns users to roles) and stewards (assigns assigners to roles).
- Rice: if you can edit the role, then you can edit the membership. If you have permissions on the namespace to be a role steward, you can assign people to be editers
- ROL_0150 PSU The roles system shall support permissions and/or limits associated with a role.
- Grouper supports permissions and limits
- Rice has qualifiers to put on permissions. To evaluate limits you can implement a java interface to do decisions on limits
- ROL_0180 PSU The roles system shall support a hierarchy of roles, which enables the reuse of roles.
- Grouper allows Role inheritance, Rice allows Roles to be assigned to Roles