/
Fall 2009 Day 2 - IdM Plumbing for Developers

Fall 2009 Day 2 - IdM Plumbing for Developers

Sept 29, 2009

What would be the right set of services and what would their contracts provide for open source developers?

  • start from the point of view of the applications or the user's needs?
  • use the word functions instead of contracts
  • you have all the information you need but usually you have to manually wire them up, that's the kind of plumbing we need
  • Gauge of train tracks used to be different so trains couldn't go all the way, our applications are like trains that need to be unloaded and the contents transferred to a different train that can run on a different track for the next leg of the journey
  • If you had an authorization engine, how would you talk to it and what functions would they need to do?
  • most developers have a framework that does these things for their specific development group
  • what about the issue of consumers misunderstanding what an attribute means, this is a mapping problem
  • Levels of user identification
    • Definition: outside of applications we have a person's definition (student,staff)
    • Roles: then there is stuff that is roles relevant to applications
    • Permissions: then there are permissions that is hyper local and very application specific
  • If the rest of the world would get their act together, the developers would have a much easier time
  • For example, we give people CAS code snippets instead of talking about protocol
  • possible starting point would be to look at Spring and see what else it needs to meet this particular problem space
  • the solution often seems to be making the library/snippet available to the implementers, it's about the tool set
  • What does plumbing mean?
    • <spec>
    • Web Services
    • Spring
    • But don't get stuck on technology name
  • would like a higher ed ontology for common pieces
  • lets start by staring at solutions
  • the Kuali identity management solution is a potential starting point

ID Framework Functions

  • authorization
    • what can subject X access or who has attribute X?
    • give X's attributes
    • don't care where the answer came from
  • manage change in attributes
    • change in content/context
    • how do I know when the definition of an attribute changes?
    • flip side is how do I know when the content of the attribute changes?
    • provisioning and de-provisioning based on attribute change
    • service should set thresholds to trap exceptional changes
    • introduce concept of versioning for attribute definitions
  • group management
    • a list of subjects
    • name of a group is like the name of an attribute
  • role management
    • a list of subjects with permissions
    • this is a deeper match into the security model of an application