/
Fall 2009 Day 2 - IdM Plumbing for Developers

Fall 2009 Day 2 - IdM Plumbing for Developers

Sept 29, 2009

What would be the right set of services and what would their contracts provide for open source developers?

  • start from the point of view of the applications or the user's needs?

  • use the word functions instead of contracts

  • you have all the information you need but usually you have to manually wire them up, that's the kind of plumbing we need

  • Gauge of train tracks used to be different so trains couldn't go all the way, our applications are like trains that need to be unloaded and the contents transferred to a different train that can run on a different track for the next leg of the journey

  • If you had an authorization engine, how would you talk to it and what functions would they need to do?

  • most developers have a framework that does these things for their specific development group

  • what about the issue of consumers misunderstanding what an attribute means, this is a mapping problem

  • Levels of user identification

    • Definition: outside of applications we have a person's definition (student,staff)

    • Roles: then there is stuff that is roles relevant to applications

    • Permissions: then there are permissions that is hyper local and very application specific

  • If the rest of the world would get their act together, the developers would have a much easier time

  • For example, we give people CAS code snippets instead of talking about protocol

  • possible starting point would be to look at Spring and see what else it needs to meet this particular problem space

  • the solution often seems to be making the library/snippet available to the implementers, it's about the tool set

  • What does plumbing mean?

    • <spec>

    • Web Services

    • Spring

    • But don't get stuck on technology name

  • would like a higher ed ontology for common pieces

  • lets start by staring at solutions

  • the Kuali identity management solution is a potential starting point

ID Framework Functions

  • authorization

    • what can subject X access or who has attribute X?

    • give X's attributes

    • don't care where the answer came from

  • manage change in attributes

    • change in content/context

    • how do I know when the definition of an attribute changes?

    • flip side is how do I know when the content of the attribute changes?

    • provisioning and de-provisioning based on attribute change

    • service should set thresholds to trap exceptional changes

    • introduce concept of versioning for attribute definitions

  • group management

    • a list of subjects

    • name of a group is like the name of an attribute

  • role management

    • a list of subjects with permissions

    • this is a deeper match into the security model of an application