From: RL 'Bob' Morgan <rlmorgan@washington.edu>
To: Signet Users <signet-users@internet2.edu>, Signet Dev <signet-dev@internet2.edu>
Subject: [signet-dev] change of direction for Signet project
Date: Tue, 21 Oct 2008 16:23:59 -0700
This note is to let everyone know about the status and direction of the
Signet project and product. This topic was discussed at the
Grouper/Signet BoF at the Internet2 Member Meeting last week.
The Signet project has been public since April 2004. During that time
lots of great work has been done in system design, development, project
management, collaboration, and outreach. Unfortunately, what has been
missing is adoption. Lots of sites have shown interest in Signet, and
tried it out in various ways, but we're not aware of any significant
production deployments. (If someone out there is using it in production,
please let us know!)
There are many possible reasons for this. Maybe privilege management as
an infrastructure service is not yet in scope for most university IT
organizations, so Signet is ahead of its time. Maybe those campuses that
are doing privilege management are more likely to add on to an existing
homegrown service than try a new product. Maybe potential adopters looked
at earlier versions of Signet that weren't ready for production and never
came back to it. Maybe the product is too complicated, or requires too
much work to try it out. Maybe it was a mistake to make Signet a separate
product from Grouper, which has had a number of large deployments in the
last year or two. Maybe Signet has just been missing the killer app whose
privilege problems it could solve.
In any case MACE and the Internet2 Middleware Initiative continue to
believe that privilege management is a core institutional service (and an
organizational service in the context of collaborative organizations and
COmanage) and that we need to find ways to support our community's
requirements for it. But we have to face the fact that Signet in its
current form seems not to be an effective vehicle for this at this time.
As folks have seen, our colleagues at Duke have led an effort to assess
current campus requirements for privilege management. While this is still
going on (and let me encourage folks to respond to the survey if they
haven't yet, you only get to complain if you vote! 8^) indications are
that sites are interested in approaches that can integrate easily and be
deployed incrementally along with all the existing stuff in campus
environments.
The specific change at this time is that the current funded Signet work
will continue through the end of this calendar year but not be renewed
after that. There is still discussion to be had about work to be done on
the product during that time to tie up loose ends. This work has been
supported by an NSF grant that is ending next year, hence there is some
urgency in making a change.
We'll be taking this opportunity to look at other approaches to meeting
people's needs, such as, for example, simple management of named
privileges as an extension to Grouper. We also know many sites are
interested in the new work such as Kuali Identity Management, and how that
will relate to enterprise services. There are other privilege management
systems out there that might have some advantages. For now we'll be
having these discussions under the Signet project banner, using the
existing signet mailing lists (primarily signet-dev) and conference calls.
I encourage those interested in this topic to participate, especially
those we've heard from already who said "I always assumed Signet would be
there when I got around to needing it some time." We agree that privilege
management needs to be in the toolkit, but we need to work on creating the
thriving community to make it so.
In the interest of accountability, let me note that the decision makers on
this (the "we" I mention above) are me, as chair of MACE, Ken
Klingenstein, as director of the Internet2 Middleware Initiative and
budget maven, and Tom Barton, project manager of the Grouper project.
Many others were involved in lots of discussions to get here, and I hope
they'll continue to participate.
- RL "Bob" Morgan