1 / 34


Directories. Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago. Outline. localDomainPerson International collaboration on person schema Grouper Selection of other threads. Directories. The Local Domain Person Survey.

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago

  2. Outline • localDomainPerson • International collaboration on person schema • Grouper • Selection of other threads

  3. Directories The Local Domain Person Survey

  4. The Local Attribute Problem • Ongoing Development of inter-institutional standards • eduPerson • eduOrg • Application Requirements for Local Attributes/Information • Lack of standards/guidelines for Local Attributes

  5. The Local Domain Person Survey • Intentions: • Use of eduPerson oc and attributes • Use of local oc and attributes for people • Local attributes common to multiple applications • Distribute Survey • Analyze Responses • Publish Analysis and Responses • Publish Recommendations White Paper

  6. Local Domain Person Object Class Study • Initial draft to be included with Spring 2004 NMI-Release • A MACE-Dir effort (Middleware Architecture Committee for Education Directories subgroup) • Analysis of results from 22 survey respondents

  7. Study Document Structure • Attribute Creation and Institutional Policy • Use of eduPerson and deviations • Use of Local Attributes and Object Classes

  8. Local Attribute Categories • Personal Characteristics • Contact Information • Student-Specific Information • Employee-Specific Information • Multi-Campus Information • Linkage Identifiers

  9. Local Attribute Categories • Entry Metadata • Security Attributes • Privacy Attributes • Authorization Information • Other Miscellaneous Attributes

  10. Study Document Structure cont. • Local Object Class Characteristics • Future Plans • Multiple-Use Local Attributes • Links to Survey Responses and other materials

  11. Next Steps • Release of Survey Study Draft – Spring 2004 • Release of Survey Study Final and website – Summer 2004 (projected) • MACE-Dir Recommendations White Paper – Winter 2004 (projected)

  12. Directories International Person Schema Coordination

  13. Int’l Collaboration on Schema • http://domen.uninett.no/~im/schema/ (Ingrid Melve)

  14. Int’l Collaboration on Schema Work Goals • Agreement on a list of interesting attributes • Common syntax and semantics across schema for some subset of attribute types • Proposed inclusion of some attributes in a standard schema • eduPerson? • Next release of X.520? • Other candidates? • Processes for ongoing schema coordination • Even common syntax & semantics would boost interoperability in attribute mapping

  15. Int’l Collaboration on Schema: Affiliations, statuses, roles • Virtual organizations (as origin) • swissEduPersonHomeOrganizationType: vlo • RedIRIS: irisgridVoCode: bioinformatics • Entitlements (asserted by origin for target) • eduPersonEntitlement: urn:mace:whatever

  16. Int’l Collaboration on Schema Affiliations, statuses, roles • Attributes (asserted by federation rules, either local or global) • norEduPersonLIN: HIO1234567890 • RedIRIS: attributes linking to a classification schema • RedIRIS: catreCode: a01b02c03 • Ticket mechanisms (federation, origin or target)

  17. Int’l Collaboration on Schema Affiliations, statuses, roles • eduPersonAffiliation • eduPersonPrimaryAffiliation • manager • auEduPersonSubType • auEduPersonType • swissEduPersonHomeOrganizationType • swissEduPersonStudyLevel • RedIRIS: irisgridRole

  18. Int’l Collaboration on Schema Affiliations, statuses, roles • funetEduPersonDegreeUniversity • funetEduPersonDegreePolytech • pleduPersonDegree • pleduPersonPosition • swissEduPersonHomeOrganizationType • swissEduPersonStudyLevel • RedIRIS: irisgridRole

  19. Int’l Collaboration on Schema Persons as individuals • X.521 person: sn • RedIRIS: sn1, sn2 • auEduPersonPreferredGivenName • auEduPersonPreferredSurname • auEduPersonSalutation

  20. Int’l Collaboration on Schema Persons as individuals • funetEduPersonDateOfBirth • norEduPersonBirthDate • swissEduPersonDateOfBirth • swissEduPersonGender • nlEduPerson - gender

  21. Int’l Collaboration on Schema Identifiers, foreign keys • Cultural variations in acceptability, scope of use • eduPersonPrincipalName • auEduPersonID • funetEduPersonStudentID • nl - employeeNumber • norEduPersonLIN • norEduPersonNIN • pleduPersonGId • pleduPersonLId • swissEduPersonUniqueID • RedIRIS: irisDnComp

  22. This is part of what federation implementation looks like • Agreements on information schema for: • Applications that need persistent identifiers • For personalization, transcript, training records • Applications that base access control on attributes (affiliation, role, group within Os and VOs) • Other info to support resource sharing across boundaries

  23. Directories Grouper

  24. Some high-level identity management requirements • ¡ authorization != authentication ! • Muster information supporting … • Per-application or resource access control policies • Exceptions to those policies • Identification of groups of collaborating peers • Common infrastructure to manage and provision requisite information • Information resides in both databases & brains • Many authoritative sources • Group management is one aspect of this picture

  25. Grouper in Context

  26. Features in Grouper v1 • Basic group management • Subgroups & compound groups • Aging of groups and memberships • Abstracted interfaces for • Privileges • Member Lookup • Last Activity • Signet integration

  27. Privileges • CREATE group with specified name • VIEW group’s name in lists & can refer to group • READ basic information about a group • UPDATE membership and administer membership related privileges • ADMIN can modify everything, including group name, description, & privileges. Can delete the group. • OPTIN can add self to the members list • OPTOUT can remove self from the members list

  28. Default Privilege Interface • CREATE a group named stem:aString • Granted by effective membership in a set of grouperCreator:… groups • Hierarchical stems, hierarchical creation authority • Managed through the API or UI • Other privileges are each granted by effective membership in a list associated with each group • viewers, readers, updaters, admins, optins, optouts • Also managed through the API or UI

  29. Examples • Personal • personal-tbarton:myFriends • admins: tbarton • personal-tbarton:myTrueFriends • admins: tbarton • optouts: personal-tbarton:myTrueFriends • Administrative • uofc-bsd:xyz-project-team • updaters: uofc-bsd-bsdis:enterpriseAdmins

  30. Examples • Administrative • uofc-bsd-obgyn:staff • updaters: uofc-bsd-obgyn:techsupport • viewers: uofc-bsd:staff, uofc-hospital:staff • student:owesUsTooMuchMoney • readers: uofc-nsit:services • uofc-nsit:netsec-sig • optins: uofc:uofc • optouts: uofc-nsit:netsec-sig • readers: uofc-nsit:netsec-sig

  31. Grouper roadmap • 3 phases of Grouper v1 development • Basic management and export functions • Compound groups • Aging of groups and memberships • Deliverables • Java API, UI, sample batch import/export scripts, documentation • Some type of prototype demo at AuthZ CAMP • Contributed elements sought • Provisioning connectors (especially LDAP & AD) • LDAP Member Lookup Interface

  32. Other Threads • eduPerson & eduOrg • Added eduPersonScopedAffiliation • Associated LDIF tweaks & fixes • Registered eduPersonTargetedID • “Everything eduPerson” – it’s not just an object class anymore • Attribute registries • eduPerson* on http://middleware.internet2.edu • Peter Gietz’s at http://www.daasi.de/services/SchemaReg/

  33. Other Threads • Email address as identifier • Character set issues & policies • Top level entity types in directories • Representing organizational structures in directories • What is “LDAP compliance”?

More Related