...
- David Walker gave a short slide presentation ( AuthZ-2008-10-23.ppt) and reviewed past meetings on this topic ( Notes from the 3/30/2006 Identity Management Meeting at UCSD, Notes from the 6/8/2006 UCTrust Identity Management Meeting at UC Merced, and Notes from the 8/10/2006 UCTrust Meeting at UC Berkeley ).
- CO-Manage's implementation of Virtual Organizations (VO) might be a good model for shared applications within UCTrust.
It was noted that the word "role" is used a number of different ways in this context, sometimes to indicate a person's purpose for or with the institution, and sometimes to indicate a grouping of permissions within an application (_i.e._, more of an entitlement in the eduPerson context). It was decided that "business role" and "application role" would be better terms for these. \ [Since the meeting, it has occurred to me that "job function" might be better than "business role." - DHW\]Wiki Markup
- Curtis Bray reviewed permission management within Kuali Identity Manager (KIM)
- Kuali's "roles" are more of the "application role" type.
- The following goals were established for permission management:
- Provisioning and de-provisioning
- Business orientation
- Audit and compliance
- Identifying approval points for processes can help to structure business role definitions.
- Greg Ackerman observed that UCIMC has seen that leaving authorization decisions to local administrators tends to grant more access than is needed, as doing so tends to reduce trouble calls.
- UCIMC is addressing permission management to access medical images for HIPAA compliance.
- UCLA permission management
- Albert Wu presented a few scenarios for permission management (Managing Groups and Roles for a VO in Multiple Collaboration ToolsManageRolesWithGrouperShibboleth, User-Select Attribute Release, and Provisioning Access Using Shibboleth-delivered Role Data).
- UCLA sees Signet (or something like Signet) as important for applications that require central auditability. Otherwise global groups with distributed administration within departments will suffice.
- Outcomes from the discussion of permission management:
- It may be more appropriate to federate entitlements, rather than business roles, leaving the mapping of business roles to entitlements to the campuses.
- We need multiple interfaces between applications and identity repositories, as Shibboleth functions only for the current user during a session. We need a "back end" channel.
- We should define a structure for UCTrust-wide groups.
- Signet provides important functionality. We will need it, or something like it, in the near future.
...