Versions Compared

Old Version 1

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 2

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Notes from CAMP

Breakout session Providing -- providing input to perMIT and Grouper projects

Our raw notes. Questions welcome but I got caught up in the conversations.

Begin forwarded message:

From: Chris Hyzer <mchyzer@isc.upenn.edu>
Date: June 17, 2009 1:00:31 AM EDT

To: tom dopirak <tgd@andrew.cmu.edu>, "Paul B. Hill" <pbh@MIT.EDU>

Subject: RE: notes from grouper/permit session -- I am afraid I got carried away listening an not note taking,  let me do some editing.

Tom, thanks a lot for taking notes (and volunteering to present back to the group (smile) )

Here are some edits:

Scenario - We have an IDM application but not a centralized AD, we are
looking at bringing up a central AD to support sso and file sharing.

Do we want folks to use the Identity Manager or some other way?

a/Hill- We have been running enterprise group management at MIT for
sometime  and feeds AD. The groups are mostly adhoc and managed by end
users . There are over 200,000 groups with about 24,000 active users.

If you wanted to use institutional data use ldappc to push the data
into AD.

a/hyzer - Grouper has three ways of pushing pulling data : sql-loader, web service

FROM: pushing  TO: pulling

interface and ldappc

For pushing data, it is the upcoming Grouper notification / change log for incremental provisioning out (or read from ldap or web service)

        There are other ways like permit to solve a set of problems
other
than simply group membership e.g. MIT perMIT

a/Hill - in perMIT "canwrite to file share" " filesharename"  these can be
flattened to a group name for groups  based access

a/hy hyzer -  attributes will be connect to groups ,  to minimize having toAttributes will will  connect to groups, folders, memberships, or subjects.  We will be able to support hierarchies of roles, permissions, and of course group memberships so you can have as elegant (or complicated (smile) complicated  ) a structure as you want
create long names groups ,  to minimize having to create long names

a/hhyzer- for small groups , less than 500 , doing adhoc ad hoc groups is not much
of a burden.

a/h hyzer - begins to talk to a use case with two classes sharing  a
fngileshare, one reading  and one reading and writing

    function  = ( can create video, can read video, can write
critique,
can read critique)

    1. get data from lms  and populate subjects into permits

a/hhyzer-Grouper would populate groups with the memberships of the two
classes  and add an attribute  to designate the "verb"/function

...

q; what will most linux kinds of applications do?

a: java acegi or ldap calls

q: we have a master admin accounts system , users are mapped to role
and sources( secondary identified source) how can perMIT support roles?

aq: are you talking about traditional rbac roles?

qa:  yes

a: perMIT  has some role concepts : primary authorizer 
authorizer, principle investigator,

q: do you support workflow?

a: not really, the roles maybe be  part of the authorization system

...

q: how do you support confluence?

a: confluence has an ldap plugin but you had to do authenication via
ldap at one point, an option can allow you to use shib for
authentication. There ldap connector doesn't support ldap mods .Tom Dopirak
tgd@andrew.cmu.edu
Senior Consulting Architect, OWC