directories n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Directories PowerPoint Presentation
Download Presentation
Directories

Loading in 2 Seconds...

play fullscreen
1 / 34

Directories - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

Directories. Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago. Outline. localDomainPerson International collaboration on person schema Grouper Selection of other threads. Directories. The Local Domain Person Survey.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Directories' - tova


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
directories

Directories

Keith Hazelton, University of Wisconsin

Brendan Bellina, University of Notre Dame

Tom Barton, University of Chicago

outline
Outline
  • localDomainPerson
  • International collaboration on person schema
  • Grouper
  • Selection of other threads
directories1

Directories

The Local Domain Person Survey

the local attribute problem
The Local Attribute Problem
  • Ongoing Development of inter-institutional standards
    • eduPerson
    • eduOrg
  • Application Requirements for Local Attributes/Information
  • Lack of standards/guidelines for Local Attributes
the local domain person survey
The Local Domain Person Survey
  • Intentions:
    • Use of eduPerson oc and attributes
    • Use of local oc and attributes for people
    • Local attributes common to multiple applications
  • Distribute Survey
  • Analyze Responses
  • Publish Analysis and Responses
  • Publish Recommendations White Paper
local domain person object class study
Local Domain Person Object Class Study
  • Initial draft to be included with Spring 2004 NMI-Release
  • A MACE-Dir effort (Middleware Architecture Committee for Education Directories subgroup)
  • Analysis of results from 22 survey respondents
study document structure
Study Document Structure
  • Attribute Creation and Institutional Policy
  • Use of eduPerson and deviations
  • Use of Local Attributes and Object Classes
local attribute categories
Local Attribute Categories
  • Personal Characteristics
  • Contact Information
  • Student-Specific Information
  • Employee-Specific Information
  • Multi-Campus Information
  • Linkage Identifiers
local attribute categories1
Local Attribute Categories
  • Entry Metadata
  • Security Attributes
  • Privacy Attributes
  • Authorization Information
  • Other Miscellaneous Attributes
study document structure cont
Study Document Structure cont.
  • Local Object Class Characteristics
  • Future Plans
  • Multiple-Use Local Attributes
  • Links to Survey Responses and other materials
next steps
Next Steps
  • Release of Survey Study Draft – Spring 2004
  • Release of Survey Study Final and website – Summer 2004 (projected)
  • MACE-Dir Recommendations White Paper – Winter 2004 (projected)
directories2

Directories

International Person Schema Coordination

int l collaboration on schema
Int’l Collaboration on Schema
  • http://domen.uninett.no/~im/schema/ (Ingrid Melve)
int l collaboration on schema work goals
Int’l Collaboration on Schema Work Goals
  • Agreement on a list of interesting attributes
  • Common syntax and semantics across schema for some subset of attribute types
  • Proposed inclusion of some attributes in a standard schema
    • eduPerson?
    • Next release of X.520?
    • Other candidates?
    • Processes for ongoing schema coordination
  • Even common syntax & semantics would boost interoperability in attribute mapping
int l collaboration on schema affiliations statuses roles
Int’l Collaboration on Schema: Affiliations, statuses, roles
  • Virtual organizations (as origin)
    • swissEduPersonHomeOrganizationType: vlo
    • RedIRIS: irisgridVoCode: bioinformatics
  • Entitlements (asserted by origin for target)
    • eduPersonEntitlement: urn:mace:whatever
int l collaboration on schema affiliations statuses roles1
Int’l Collaboration on Schema Affiliations, statuses, roles
  • Attributes (asserted by federation rules, either local or global)
    • norEduPersonLIN: HIO1234567890
    • RedIRIS: attributes linking to a classification schema
    • RedIRIS: catreCode: a01b02c03
  • Ticket mechanisms (federation, origin or target)
int l collaboration on schema affiliations statuses roles2
Int’l Collaboration on Schema Affiliations, statuses, roles
  • eduPersonAffiliation
  • eduPersonPrimaryAffiliation
  • manager
  • auEduPersonSubType
  • auEduPersonType
  • swissEduPersonHomeOrganizationType
  • swissEduPersonStudyLevel
  • RedIRIS: irisgridRole
int l collaboration on schema affiliations statuses roles3
Int’l Collaboration on Schema Affiliations, statuses, roles
  • funetEduPersonDegreeUniversity
  • funetEduPersonDegreePolytech
  • pleduPersonDegree
  • pleduPersonPosition
  • swissEduPersonHomeOrganizationType
  • swissEduPersonStudyLevel
  • RedIRIS: irisgridRole
int l collaboration on schema persons as individuals
Int’l Collaboration on Schema Persons as individuals
  • X.521 person: sn
  • RedIRIS: sn1, sn2
  • auEduPersonPreferredGivenName
  • auEduPersonPreferredSurname
  • auEduPersonSalutation
int l collaboration on schema persons as individuals1
Int’l Collaboration on Schema Persons as individuals
  • funetEduPersonDateOfBirth
  • norEduPersonBirthDate
  • swissEduPersonDateOfBirth
  • swissEduPersonGender
  • nlEduPerson - gender
int l collaboration on schema identifiers foreign keys
Int’l Collaboration on Schema Identifiers, foreign keys
  • Cultural variations in acceptability, scope of use
  • eduPersonPrincipalName
  • auEduPersonID
  • funetEduPersonStudentID
  • nl - employeeNumber
  • norEduPersonLIN
  • norEduPersonNIN
  • pleduPersonGId
  • pleduPersonLId
  • swissEduPersonUniqueID
  • RedIRIS: irisDnComp
this is part of what federation implementation looks like
This is part of what federation implementation looks like
  • Agreements on information schema for:
  • Applications that need persistent identifiers
    • For personalization, transcript, training records
  • Applications that base access control on attributes (affiliation, role, group within Os and VOs)
  • Other info to support resource sharing across boundaries
some high level identity management requirements
Some high-level identity management requirements
  • ¡ authorization != authentication !
  • Muster information supporting …
    • Per-application or resource access control policies
    • Exceptions to those policies
    • Identification of groups of collaborating peers
  • Common infrastructure to manage and provision requisite information
    • Information resides in both databases & brains
    • Many authoritative sources
    • Group management is one aspect of this picture
features in grouper v1
Features in Grouper v1
  • Basic group management
  • Subgroups & compound groups
  • Aging of groups and memberships
  • Abstracted interfaces for
    • Privileges
    • Member Lookup
    • Last Activity
  • Signet integration
privileges
Privileges
  • CREATE group with specified name
  • VIEW group’s name in lists & can refer to group
  • READ basic information about a group
  • UPDATE membership and administer membership related privileges
  • ADMIN can modify everything, including group name, description, & privileges. Can delete the group.
  • OPTIN can add self to the members list
  • OPTOUT can remove self from the members list
default privilege interface
Default Privilege Interface
  • CREATE a group named stem:aString
    • Granted by effective membership in a set of grouperCreator:… groups
    • Hierarchical stems, hierarchical creation authority
    • Managed through the API or UI
  • Other privileges are each granted by effective membership in a list associated with each group
    • viewers, readers, updaters, admins, optins, optouts
    • Also managed through the API or UI
examples
Examples
  • Personal
    • personal-tbarton:myFriends
      • admins: tbarton
    • personal-tbarton:myTrueFriends
      • admins: tbarton
      • optouts: personal-tbarton:myTrueFriends
  • Administrative
    • uofc-bsd:xyz-project-team
      • updaters: uofc-bsd-bsdis:enterpriseAdmins
examples1
Examples
  • Administrative
    • uofc-bsd-obgyn:staff
      • updaters: uofc-bsd-obgyn:techsupport
      • viewers: uofc-bsd:staff, uofc-hospital:staff
    • student:owesUsTooMuchMoney
      • readers: uofc-nsit:services
    • uofc-nsit:netsec-sig
      • optins: uofc:uofc
      • optouts: uofc-nsit:netsec-sig
      • readers: uofc-nsit:netsec-sig
grouper roadmap
Grouper roadmap
  • 3 phases of Grouper v1 development
    • Basic management and export functions
    • Compound groups
    • Aging of groups and memberships
  • Deliverables
    • Java API, UI, sample batch import/export scripts, documentation
    • Some type of prototype demo at AuthZ CAMP
  • Contributed elements sought
    • Provisioning connectors (especially LDAP & AD)
    • LDAP Member Lookup Interface
other threads
Other Threads
  • eduPerson & eduOrg
    • Added eduPersonScopedAffiliation
    • Associated LDIF tweaks & fixes
    • Registered eduPersonTargetedID
    • “Everything eduPerson” – it’s not just an object class anymore
  • Attribute registries
    • eduPerson* on http://middleware.internet2.edu
    • Peter Gietz’s at http://www.daasi.de/services/SchemaReg/
other threads1
Other Threads
  • Email address as identifier
  • Character set issues & policies
  • Top level entity types in directories
  • Representing organizational structures in directories
  • What is “LDAP compliance”?