Download
directories n.
Skip this Video
Loading SlideShow in 5 Seconds..
Directories PowerPoint Presentation
Download Presentation
Directories

Directories

0 Views Download Presentation
Download Presentation

Directories

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago

  2. Outline • localDomainPerson • International collaboration on person schema • Grouper • Selection of other threads

  3. Directories The Local Domain Person Survey

  4. The Local Attribute Problem • Ongoing Development of inter-institutional standards • eduPerson • eduOrg • Application Requirements for Local Attributes/Information • Lack of standards/guidelines for Local Attributes

  5. The Local Domain Person Survey • Intentions: • Use of eduPerson oc and attributes • Use of local oc and attributes for people • Local attributes common to multiple applications • Distribute Survey • Analyze Responses • Publish Analysis and Responses • Publish Recommendations White Paper

  6. Local Domain Person Object Class Study • Initial draft to be included with Spring 2004 NMI-Release • A MACE-Dir effort (Middleware Architecture Committee for Education Directories subgroup) • Analysis of results from 22 survey respondents

  7. Study Document Structure • Attribute Creation and Institutional Policy • Use of eduPerson and deviations • Use of Local Attributes and Object Classes

  8. Local Attribute Categories • Personal Characteristics • Contact Information • Student-Specific Information • Employee-Specific Information • Multi-Campus Information • Linkage Identifiers

  9. Local Attribute Categories • Entry Metadata • Security Attributes • Privacy Attributes • Authorization Information • Other Miscellaneous Attributes

  10. Study Document Structure cont. • Local Object Class Characteristics • Future Plans • Multiple-Use Local Attributes • Links to Survey Responses and other materials

  11. Next Steps • Release of Survey Study Draft – Spring 2004 • Release of Survey Study Final and website – Summer 2004 (projected) • MACE-Dir Recommendations White Paper – Winter 2004 (projected)

  12. Directories International Person Schema Coordination

  13. Int’l Collaboration on Schema • http://domen.uninett.no/~im/schema/ (Ingrid Melve)

  14. Int’l Collaboration on Schema Work Goals • Agreement on a list of interesting attributes • Common syntax and semantics across schema for some subset of attribute types • Proposed inclusion of some attributes in a standard schema • eduPerson? • Next release of X.520? • Other candidates? • Processes for ongoing schema coordination • Even common syntax & semantics would boost interoperability in attribute mapping

  15. Int’l Collaboration on Schema: Affiliations, statuses, roles • Virtual organizations (as origin) • swissEduPersonHomeOrganizationType: vlo • RedIRIS: irisgridVoCode: bioinformatics • Entitlements (asserted by origin for target) • eduPersonEntitlement: urn:mace:whatever

  16. Int’l Collaboration on Schema Affiliations, statuses, roles • Attributes (asserted by federation rules, either local or global) • norEduPersonLIN: HIO1234567890 • RedIRIS: attributes linking to a classification schema • RedIRIS: catreCode: a01b02c03 • Ticket mechanisms (federation, origin or target)

  17. Int’l Collaboration on Schema Affiliations, statuses, roles • eduPersonAffiliation • eduPersonPrimaryAffiliation • manager • auEduPersonSubType • auEduPersonType • swissEduPersonHomeOrganizationType • swissEduPersonStudyLevel • RedIRIS: irisgridRole

  18. Int’l Collaboration on Schema Affiliations, statuses, roles • funetEduPersonDegreeUniversity • funetEduPersonDegreePolytech • pleduPersonDegree • pleduPersonPosition • swissEduPersonHomeOrganizationType • swissEduPersonStudyLevel • RedIRIS: irisgridRole

  19. Int’l Collaboration on Schema Persons as individuals • X.521 person: sn • RedIRIS: sn1, sn2 • auEduPersonPreferredGivenName • auEduPersonPreferredSurname • auEduPersonSalutation

  20. Int’l Collaboration on Schema Persons as individuals • funetEduPersonDateOfBirth • norEduPersonBirthDate • swissEduPersonDateOfBirth • swissEduPersonGender • nlEduPerson - gender

  21. Int’l Collaboration on Schema Identifiers, foreign keys • Cultural variations in acceptability, scope of use • eduPersonPrincipalName • auEduPersonID • funetEduPersonStudentID • nl - employeeNumber • norEduPersonLIN • norEduPersonNIN • pleduPersonGId • pleduPersonLId • swissEduPersonUniqueID • RedIRIS: irisDnComp

  22. This is part of what federation implementation looks like • Agreements on information schema for: • Applications that need persistent identifiers • For personalization, transcript, training records • Applications that base access control on attributes (affiliation, role, group within Os and VOs) • Other info to support resource sharing across boundaries

  23. Directories Grouper

  24. Some high-level identity management requirements • ¡ authorization != authentication ! • Muster information supporting … • Per-application or resource access control policies • Exceptions to those policies • Identification of groups of collaborating peers • Common infrastructure to manage and provision requisite information • Information resides in both databases & brains • Many authoritative sources • Group management is one aspect of this picture

  25. Grouper in Context

  26. Features in Grouper v1 • Basic group management • Subgroups & compound groups • Aging of groups and memberships • Abstracted interfaces for • Privileges • Member Lookup • Last Activity • Signet integration

  27. Privileges • CREATE group with specified name • VIEW group’s name in lists & can refer to group • READ basic information about a group • UPDATE membership and administer membership related privileges • ADMIN can modify everything, including group name, description, & privileges. Can delete the group. • OPTIN can add self to the members list • OPTOUT can remove self from the members list

  28. Default Privilege Interface • CREATE a group named stem:aString • Granted by effective membership in a set of grouperCreator:… groups • Hierarchical stems, hierarchical creation authority • Managed through the API or UI • Other privileges are each granted by effective membership in a list associated with each group • viewers, readers, updaters, admins, optins, optouts • Also managed through the API or UI

  29. Examples • Personal • personal-tbarton:myFriends • admins: tbarton • personal-tbarton:myTrueFriends • admins: tbarton • optouts: personal-tbarton:myTrueFriends • Administrative • uofc-bsd:xyz-project-team • updaters: uofc-bsd-bsdis:enterpriseAdmins

  30. Examples • Administrative • uofc-bsd-obgyn:staff • updaters: uofc-bsd-obgyn:techsupport • viewers: uofc-bsd:staff, uofc-hospital:staff • student:owesUsTooMuchMoney • readers: uofc-nsit:services • uofc-nsit:netsec-sig • optins: uofc:uofc • optouts: uofc-nsit:netsec-sig • readers: uofc-nsit:netsec-sig

  31. Grouper roadmap • 3 phases of Grouper v1 development • Basic management and export functions • Compound groups • Aging of groups and memberships • Deliverables • Java API, UI, sample batch import/export scripts, documentation • Some type of prototype demo at AuthZ CAMP • Contributed elements sought • Provisioning connectors (especially LDAP & AD) • LDAP Member Lookup Interface

  32. Other Threads • eduPerson & eduOrg • Added eduPersonScopedAffiliation • Associated LDIF tweaks & fixes • Registered eduPersonTargetedID • “Everything eduPerson” – it’s not just an object class anymore • Attribute registries • eduPerson* on http://middleware.internet2.edu • Peter Gietz’s at http://www.daasi.de/services/SchemaReg/

  33. Other Threads • Email address as identifier • Character set issues & policies • Top level entity types in directories • Representing organizational structures in directories • What is “LDAP compliance”?