DirectoriesKeith Hazelton, University of Wisconsin

Brendan Bellina, University of Notre Dame

Tom Barton, University of Chicago

Spring 2004 I2MM 2

Outline

localDomainPerson

International collaboration on person schema

Grouper

Selection of other threads

DirectoriesThe Local Domain Person Survey

Spring 2004 I2MM 4

The Local Attribute Problem

Ongoing Development of inter-institutional standards

• eduPerson• eduOrg

Application Requirements for Local Attributes/Information

Lack of standards/guidelines for Local Attributes

Spring 2004 I2MM 5

The Local Domain Person Survey

Intentions:• Use of eduPerson oc and attributes• Use of local oc and attributes for people• Local attributes common to multiple applications

Distribute Survey

Analyze Responses

Publish Analysis and Responses

Publish Recommendations White Paper

Spring 2004 I2MM 6

Local Domain Person Object Class Study

Initial draft to be included with Spring 2004 NMI-Release

A MACE-Dir effort (Middleware Architecture Committee for Education Directories subgroup)

Analysis of results from 22 survey respondents

Spring 2004 I2MM 7

Study Document Structure

Attribute Creation and Institutional Policy

Use of eduPerson and deviations

Use of Local Attributes and Object Classes

Spring 2004 I2MM 8

Local Attribute Categories

Personal Characteristics

Contact Information

Student-Specific Information

Employee-Specific Information

Multi-Campus Information

Linkage Identifiers

Spring 2004 I2MM 9

Local Attribute Categories

Entry Metadata

Security Attributes

Privacy Attributes

Authorization Information

Other Miscellaneous Attributes

Spring 2004 I2MM 10

Study Document Structure cont.

Local Object Class Characteristics

Future Plans

Multiple-Use Local Attributes

Links to Survey Responses and other materials

Spring 2004 I2MM 11

Next Steps

Release of Survey Study Draft – Spring 2004

Release of Survey Study Final and website – Summer 2004 (projected)

MACE-Dir Recommendations White Paper – Winter 2004 (projected)

DirectoriesInternational Person Schema Coordination

Spring 2004 I2MM 13

Int’l Collaboration on Schema

http://domen.uninett.no/~im/schema/ (Ingrid Melve)

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Spring 2004 I2MM 14

Int’l Collaboration on Schema Work Goals

Agreement on a list of interesting attributes Common syntax and semantics across schema for

some subset of attribute types Proposed inclusion of some attributes in a standard

schema• eduPerson?• Next release of X.520?• Other candidates?• Processes for ongoing schema coordination

Even common syntax & semantics would boost interoperability in attribute mapping

Spring 2004 I2MM 15

Int’l Collaboration on Schema: Affiliations, statuses, roles

Virtual organizations (as origin)• swissEduPersonHomeOrganizationType: vlo• RedIRIS: irisgridVoCode: bioinformatics

Entitlements (asserted by origin for target)• eduPersonEntitlement: urn:mace:whatever

Spring 2004 I2MM 16

Int’l Collaboration on Schema Affiliations, statuses, roles

Attributes (asserted by federation rules, either local or global)• norEduPersonLIN: HIO1234567890• RedIRIS: attributes linking to a classification schema• RedIRIS: catreCode: a01b02c03

Ticket mechanisms (federation, origin or target)

Spring 2004 I2MM 17

Int’l Collaboration on Schema Affiliations, statuses, roles

eduPersonAffiliation eduPersonPrimaryAffiliation manager auEduPersonSubType auEduPersonType swissEduPersonHomeOrganizationType swissEduPersonStudyLevel RedIRIS: irisgridRole

Spring 2004 I2MM 18

Int’l Collaboration on Schema Affiliations, statuses, roles

funetEduPersonDegreeUniversity funetEduPersonDegreePolytech pleduPersonDegree pleduPersonPosition swissEduPersonHomeOrganizationType swissEduPersonStudyLevel RedIRIS: irisgridRole

Spring 2004 I2MM 19

Int’l Collaboration on Schema Persons as individuals

X.521 person: sn

RedIRIS: sn1, sn2

auEduPersonPreferredGivenName

auEduPersonPreferredSurname

auEduPersonSalutation

Spring 2004 I2MM 20

Int’l Collaboration on Schema Persons as individuals

funetEduPersonDateOfBirth

norEduPersonBirthDate

swissEduPersonDateOfBirth swissEduPersonGender nlEduPerson - gender

Spring 2004 I2MM 21

Int’l Collaboration on Schema Identifiers, foreign keys

Cultural variations in acceptability, scope of use eduPersonPrincipalName auEduPersonID funetEduPersonStudentID nl - employeeNumber norEduPersonLIN norEduPersonNIN pleduPersonGId pleduPersonLId swissEduPersonUniqueID RedIRIS: irisDnComp

Spring 2004 I2MM 22

This is part of what federation implementation looks like

Agreements on information schema for: Applications that need persistent identifiers

• For personalization, transcript, training records

Applications that base access control on attributes (affiliation, role, group within Os and VOs)

Other info to support resource sharing across boundaries

DirectoriesGrouper

Spring 2004 I2MM 24

Some high-level identity management requirements

¡ authorization != authentication !Muster information supporting …

• Per-application or resource access control policies• Exceptions to those policies• Identification of groups of collaborating peers

Common infrastructure to manage and provision requisite information

• Information resides in both databases & brains• Many authoritative sources• Group management is one aspect of this picture

Spring 2004 I2MM 25

Grouper in Context

Spring 2004 I2MM 26

Features in Grouper v1

Basic group management

Subgroups & compound groups

Aging of groups and memberships

Abstracted interfaces for • Privileges• Member Lookup• Last Activity

Signet integration

Spring 2004 I2MM 27

Privileges

CREATE group with specified name

VIEW group’s name in lists & can refer to group

READ basic information about a group

UPDATE membership and administer membership related privileges

ADMIN can modify everything, including group name, description, & privileges. Can delete the group.

OPTIN can add self to the members list

OPTOUT can remove self from the members list

Spring 2004 I2MM 28

Default Privilege Interface

CREATE a group named stem:aString• Granted by effective membership in a set of grouperCreator:… groups

• Hierarchical stems, hierarchical creation authority • Managed through the API or UI

Other privileges are each granted by effective membership in a list associated with each group

• viewers, readers, updaters, admins, optins, optouts

• Also managed through the API or UI

Spring 2004 I2MM 29

Examples

Personal• personal-tbarton:myFriends

– admins: tbarton

• personal-tbarton:myTrueFriends– admins: tbarton– optouts: personal-tbarton:myTrueFriends

Administrative• uofc-bsd:xyz-project-team

–updaters: uofc-bsd-bsdis:enterpriseAdmins

Spring 2004 I2MM 30

Examples

Administrative• uofc-bsd-obgyn:staff

–updaters: uofc-bsd-obgyn:techsupport

–viewers: uofc-bsd:staff, uofc-hospital:staff

• student:owesUsTooMuchMoney–readers: uofc-nsit:services

• uofc-nsit:netsec-sig–optins: uofc:uofc

–optouts: uofc-nsit:netsec-sig

–readers: uofc-nsit:netsec-sig

Spring 2004 I2MM 31

Grouper roadmap

3 phases of Grouper v1 development1.Basic management and export functions

2.Compound groups

3.Aging of groups and memberships

Deliverables• Java API, UI, sample batch import/export scripts,

documentation• Some type of prototype demo at AuthZ CAMP

Contributed elements sought• Provisioning connectors (especially LDAP & AD)• LDAP Member Lookup Interface

Spring 2004 I2MM 32

Other Threads

eduPerson & eduOrg• Added eduPersonScopedAffiliation• Associated LDIF tweaks & fixes• Registered eduPersonTargetedID• “Everything eduPerson” – it’s not just an object class anymore

Attribute registries• eduPerson* on http://middleware.internet2.edu• Peter Gietz’s at http://www.daasi.de/services/SchemaReg/

Spring 2004 I2MM 33

Other Threads

Email address as identifier

Character set issues & policies

Top level entity types in directories

Representing organizational structures in directories

What is “LDAP compliance”?

Spring 2004 I2MM 34