CAMP: Practical Building Blocks for Access Management,
June 15-17, Philadelphia
Day 1 (15-June-2009)
Welcome and Introductions
* Thomas J. Barton, Senior Director for Integration, University of Chicago
Access Management Building Blocks
* Tom Dopirak,Senior Consulting IT Architect, Carnegie Mellon University
Q: What are the different terminologies in this access management space?
A: There are different vocabularies for policy and for software. XACML has a terminology, Kerberos has a terminology, Active Directory has a terminology. The MACE-paccman working group wiki has a comparison between XACML and Signet and are hoping to build more terminology mappings in the glossary.
Q: How should we handle scalability issues that arise when role-based access management is embedded in the application?
A: That's a problem. If you build a wonderful access management program and it can't interact with the applications, that's also a problem. Ways of doing application integration will change as new technologies come into view.
Categorizing Access Management Challenges (slides)
*Rob Carter, Consultant, IT, Duke University , *Scott Fullerton, Sr IT Architect, University of Wisconsin-Madison
Q: Thinking in terms of an application a campus might buy, how do you hook it up? Who has what role? What questions should we ask vendors?
A: When we are looking at implementations, think in terms of what IdM info we have available and what will the applications want to consume? Also, ask to what extent the potential application meshes with business processes you have in place, and If it does not mesh, how does the data support the new business process it's forcing on you.
Q: How to handle a very complicated workflow, with many roles, ranks, schools, etc.?
A: Try to figure out if there are groupings that can be more broadly provisioned.
Discussion and Lightning Rounds: What are Your Use Cases?
* Moderator: Tom Barton
* Cal Racey, Newcastle University
Access Controlling Online Resources -- Wikis, Lecture capture, Room Booking
* Michael McDermott Brown University
Security Faculty Information Systems
* David Langenberg, University of Chicago
Quarterly Instructor Access, Student testing
* Jimmy Vuccolo , Pennsylvania State University
Financial Workflows
* Liz Salley, University of Michigan
Organizations as Subjects
* Jim Beard, University of Oregon
Thorns in Password Reset
Day 2 (16-June-2009)
Describing the Solution Patterns and Real World Examples
* Liz Salley (Moderator), Steven Carmody, Caleb Racey, Tom Barton
Discussion and Lightning Rounds: Testing the Solution Patterns
* Moderator: Tom Barton
*Jean Marie Thia, University Pierre et Marie CURIE
Shibboleth attributes for sharepoint
*Paul Hill , MIT
perMIT (notes)
* Cal Racey, Newcastle University
Access control with Shibboleth and Grouper. How to populate identity stores.
*David Bantz, University of Alaska
Organizational hierarchy & the phone book
*Luca Fillipozzi, University of British Columbia
A physical access management solution
* Astrid Fingerhut, University of Chicago
Trusted Agent program
Environmental Scan - What Technology Tools Work (and Don't Work)?
* Moderator: Tom Barton, Panel: Bill Kasenchar, Laura Hunter, Bob Bailey
Environmental Scan - What Policy and Process Approaches Work (and Don't Work)?
* Moderator: Liz Salley Panel: Andrea Beesing, Renee Shuey
U-M Slides and Intro (Liz Salley)
Cornell Slides (Andrea Bessing)
Penn State Slides (Renee Shuey)
Bringing the Workshop Home: Applying Your Knowledge to Your Access Mangement Challenges
BREAKOUT: Providing Input to perMIT and Grouper projects notes
BREAKOUT: Hierarchy notes
BREAKOUT: Implementation notes
BREAKOUT: Use Cases notes
Day 3 (17-June-2009)
Lightning Rounds of Use Cases, Solutions Integration, and Related Topics
* Moderator: Jens Hauesser
* Chris Hyzer, University of Pennsylvania
Grouper Future Features, slides
* Kent Fong, University of British Columbia
UBC's IdM program
(notes)
* Jim Beard, University of Oregon
IdM Implementation from the Rear View Mirror
Looking Forward
*Moderator: Liz Salley
Panel: Ken Klingenstein, Tom Dopirak, Michael McDermott, Bob Bailey
Q: We spent time in lightning rounds talking about use cases and solution patterns and trying to build that into a design pattern library. What would you like to see as next steps for making some of that happen?
A: Clear writing and scribing those use cases anad patterns and recipes for how they might be implemented is really helpful to a lot of people to understand how to approach the space in different ways.
Q: Why shouldn't we look at open source as being as viable as a sole proprietor solution?
A: Issues detering people from open source solutions include desire for a support contract, desire for "someone to yell at" if things go wrong, need to have folks on your team who can modify it, worries about scalability.
Comment: it can be possible to get a support contract for open source, such as with Debian or Open LDAP
Next Steps and Continuing the Conversation
Buddy Groups were formed for ongoing consultation and support with access management issues.
Feedback and Suggestions for Future CAMPs
- Looking at use cases and solution patterns was helpful. It's important to continue the approach
- Would be nice to have more breakout session opportunities
- At future CAMPs, it would be good to facilitiate a dinner out, where people can go to a certain restaurant and chat about a certain topic of common interest.