directories keith hazelton, university of wisconsin brendan bellina, university of notre dame tom...
TRANSCRIPT
DirectoriesKeith Hazelton, University of Wisconsin
Brendan Bellina, University of Notre Dame
Tom Barton, University of Chicago
Spring 2004 I2MM 2
Outline
localDomainPerson
International collaboration on person schema
Grouper
Selection of other threads
DirectoriesThe Local Domain Person Survey
Spring 2004 I2MM 4
The Local Attribute Problem
Ongoing Development of inter-institutional standards
• eduPerson• eduOrg
Application Requirements for Local Attributes/Information
Lack of standards/guidelines for Local Attributes
Spring 2004 I2MM 5
The Local Domain Person Survey
Intentions:• Use of eduPerson oc and attributes• Use of local oc and attributes for people• Local attributes common to multiple applications
Distribute Survey
Analyze Responses
Publish Analysis and Responses
Publish Recommendations White Paper
Spring 2004 I2MM 6
Local Domain Person Object Class Study
Initial draft to be included with Spring 2004 NMI-Release
A MACE-Dir effort (Middleware Architecture Committee for Education Directories subgroup)
Analysis of results from 22 survey respondents
Spring 2004 I2MM 7
Study Document Structure
Attribute Creation and Institutional Policy
Use of eduPerson and deviations
Use of Local Attributes and Object Classes
Spring 2004 I2MM 8
Local Attribute Categories
Personal Characteristics
Contact Information
Student-Specific Information
Employee-Specific Information
Multi-Campus Information
Linkage Identifiers
Spring 2004 I2MM 9
Local Attribute Categories
Entry Metadata
Security Attributes
Privacy Attributes
Authorization Information
Other Miscellaneous Attributes
Spring 2004 I2MM 10
Study Document Structure cont.
Local Object Class Characteristics
Future Plans
Multiple-Use Local Attributes
Links to Survey Responses and other materials
Spring 2004 I2MM 11
Next Steps
Release of Survey Study Draft – Spring 2004
Release of Survey Study Final and website – Summer 2004 (projected)
MACE-Dir Recommendations White Paper – Winter 2004 (projected)
DirectoriesInternational Person Schema Coordination
Spring 2004 I2MM 13
Int’l Collaboration on Schema
http://domen.uninett.no/~im/schema/ (Ingrid Melve)
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Spring 2004 I2MM 14
Int’l Collaboration on Schema Work Goals
Agreement on a list of interesting attributes Common syntax and semantics across schema for
some subset of attribute types Proposed inclusion of some attributes in a standard
schema• eduPerson?• Next release of X.520?• Other candidates?• Processes for ongoing schema coordination
Even common syntax & semantics would boost interoperability in attribute mapping
Spring 2004 I2MM 15
Int’l Collaboration on Schema: Affiliations, statuses, roles
Virtual organizations (as origin)• swissEduPersonHomeOrganizationType: vlo• RedIRIS: irisgridVoCode: bioinformatics
Entitlements (asserted by origin for target)• eduPersonEntitlement: urn:mace:whatever
Spring 2004 I2MM 16
Int’l Collaboration on Schema Affiliations, statuses, roles
Attributes (asserted by federation rules, either local or global)• norEduPersonLIN: HIO1234567890• RedIRIS: attributes linking to a classification schema• RedIRIS: catreCode: a01b02c03
Ticket mechanisms (federation, origin or target)
Spring 2004 I2MM 17
Int’l Collaboration on Schema Affiliations, statuses, roles
eduPersonAffiliation eduPersonPrimaryAffiliation manager auEduPersonSubType auEduPersonType swissEduPersonHomeOrganizationType swissEduPersonStudyLevel RedIRIS: irisgridRole
Spring 2004 I2MM 18
Int’l Collaboration on Schema Affiliations, statuses, roles
funetEduPersonDegreeUniversity funetEduPersonDegreePolytech pleduPersonDegree pleduPersonPosition swissEduPersonHomeOrganizationType swissEduPersonStudyLevel RedIRIS: irisgridRole
Spring 2004 I2MM 19
Int’l Collaboration on Schema Persons as individuals
X.521 person: sn
RedIRIS: sn1, sn2
auEduPersonPreferredGivenName
auEduPersonPreferredSurname
auEduPersonSalutation
Spring 2004 I2MM 20
Int’l Collaboration on Schema Persons as individuals
funetEduPersonDateOfBirth
norEduPersonBirthDate
swissEduPersonDateOfBirth swissEduPersonGender nlEduPerson - gender
Spring 2004 I2MM 21
Int’l Collaboration on Schema Identifiers, foreign keys
Cultural variations in acceptability, scope of use eduPersonPrincipalName auEduPersonID funetEduPersonStudentID nl - employeeNumber norEduPersonLIN norEduPersonNIN pleduPersonGId pleduPersonLId swissEduPersonUniqueID RedIRIS: irisDnComp
Spring 2004 I2MM 22
This is part of what federation implementation looks like
Agreements on information schema for: Applications that need persistent identifiers
• For personalization, transcript, training records
Applications that base access control on attributes (affiliation, role, group within Os and VOs)
Other info to support resource sharing across boundaries
DirectoriesGrouper
Spring 2004 I2MM 24
Some high-level identity management requirements
¡ authorization != authentication !Muster information supporting …
• Per-application or resource access control policies• Exceptions to those policies• Identification of groups of collaborating peers
Common infrastructure to manage and provision requisite information
• Information resides in both databases & brains• Many authoritative sources• Group management is one aspect of this picture
Spring 2004 I2MM 25
Grouper in Context
Spring 2004 I2MM 26
Features in Grouper v1
Basic group management
Subgroups & compound groups
Aging of groups and memberships
Abstracted interfaces for • Privileges• Member Lookup• Last Activity
Signet integration
Spring 2004 I2MM 27
Privileges
CREATE group with specified name
VIEW group’s name in lists & can refer to group
READ basic information about a group
UPDATE membership and administer membership related privileges
ADMIN can modify everything, including group name, description, & privileges. Can delete the group.
OPTIN can add self to the members list
OPTOUT can remove self from the members list
Spring 2004 I2MM 28
Default Privilege Interface
CREATE a group named stem:aString• Granted by effective membership in a set of grouperCreator:… groups
• Hierarchical stems, hierarchical creation authority • Managed through the API or UI
Other privileges are each granted by effective membership in a list associated with each group
• viewers, readers, updaters, admins, optins, optouts
• Also managed through the API or UI
Spring 2004 I2MM 29
Examples
Personal• personal-tbarton:myFriends
– admins: tbarton
• personal-tbarton:myTrueFriends– admins: tbarton– optouts: personal-tbarton:myTrueFriends
Administrative• uofc-bsd:xyz-project-team
–updaters: uofc-bsd-bsdis:enterpriseAdmins
Spring 2004 I2MM 30
Examples
Administrative• uofc-bsd-obgyn:staff
–updaters: uofc-bsd-obgyn:techsupport
–viewers: uofc-bsd:staff, uofc-hospital:staff
• student:owesUsTooMuchMoney–readers: uofc-nsit:services
• uofc-nsit:netsec-sig–optins: uofc:uofc
–optouts: uofc-nsit:netsec-sig
–readers: uofc-nsit:netsec-sig
Spring 2004 I2MM 31
Grouper roadmap
3 phases of Grouper v1 development1.Basic management and export functions
2.Compound groups
3.Aging of groups and memberships
Deliverables• Java API, UI, sample batch import/export scripts,
documentation• Some type of prototype demo at AuthZ CAMP
Contributed elements sought• Provisioning connectors (especially LDAP & AD)• LDAP Member Lookup Interface
Spring 2004 I2MM 32
Other Threads
eduPerson & eduOrg• Added eduPersonScopedAffiliation• Associated LDIF tweaks & fixes• Registered eduPersonTargetedID• “Everything eduPerson” – it’s not just an object class anymore
Attribute registries• eduPerson* on http://middleware.internet2.edu• Peter Gietz’s at http://www.daasi.de/services/SchemaReg/
Spring 2004 I2MM 33
Other Threads
Email address as identifier
Character set issues & policies
Top level entity types in directories
Representing organizational structures in directories
What is “LDAP compliance”?
Spring 2004 I2MM 34