UCTrust Workgroup
Child pages
  • Meeting Notes - 2008-10-23 at UCI

Versions Compared

Old Version 25

changes.mady.by.user David H Walker

Saved on

compared with

New Version Current

changes.mady.by.user David H Walker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  • David Walker gave a short slide presentation ( AuthZ-2008-10-23.ppt) and reviewed past meetings on this topic ( Notes from the 3/30/2006 Identity Management Meeting at UCSD, Notes from the 6/8/2006 UCTrust Identity Management Meeting at UC Merced, and Notes from the 8/10/2006 UCTrust Meeting at UC Berkeley ).
    • CO-Manage's implementation of Virtual Organizations (VO) might be a good model for shared applications within UCTrust.
    • Wiki MarkupIt was noted that the word "role" is used a number of different ways in this context, sometimes to indicate a person's purpose for or with the institution, and sometimes to indicate a grouping of permissions within an application (_i.e._, more of an entitlement in the eduPerson context).    It was decided that "business role" and "application role" would be better terms for these.  \  [Since the meeting, it has occurred to me that "job function" might be better than "business role." - DHW\]
  • Curtis Bray reviewed permission management within Kuali Identity Manager (KIM)
    • Kuali's "roles" are more of the "application role" type.
  • The following goals were established for permission management:
    • Provisioning and de-provisioning
    • Business orientation
    • Audit and compliance
  • Identifying approval points for processes can help to structure business role definitions.
  • Greg Ackerman observed that UCIMC has seen that leaving authorization decisions to local administrators tends to grant more access than is needed, as doing so tends to reduce trouble calls.
  • UCIMC is addressing permission management to access medical images for HIPAA compliance.
  • UCLA permission management
  • Outcomes from the discussion of permission management: (tick)
    • It may be more appropriate to federate entitlements, rather than business roles, leaving the mapping of business roles to entitlements to the campuses.
    • We need multiple interfaces between applications and identity repositories, as Shibboleth functions only for the current user during a session.  We need a "back end" channel.
    • We should define a structure for UCTrust-wide groups.
    • Signet provides important functionality.  We will need it, or something like it, in the near future.

...