Notes from CAMP Breakout session -- providing input to perMIT and Grouper projects
...
function = ( can create video, can read video, can write
critique,
can read critique)
1. get data from lms and populate subjects into permits
...
a/Hill- with a well developed application application they are likely going to
use for example AD security descriptors for all authorization, you
can set a registry key so that group membership are not passed in
kerberos tickets
q; what What will most linux kinds of applications do?
...
q: we have a master admin accounts system , users are mapped to role
and sources( secondary identified source) how can perMIT support roles?
q: are Are you talking about traditional rbac roles?
...
a: perMIT has some role concepts : primary authorizer, principle investigator,
q: do Do you support workflow?
a: not Not really, the roles maybe be part of the authorization system
Discussion about precalculating memberships in nested groups
q: does Does the permit have to know about a subject before it can be
assigned or can users type a random but unique string
a: in general folks felt this was unwise and the subject name had to
be verified
q: should Should group information be kept in saml assertion?
a: no No particular needs expressed except a desire from CMU's KS
implementation to have the option given their web services
implementation
q: have Have you looked at implementing Kuali authorization services on top
of perMIT
a: yes and for the KS service definitions we think we can implement
it as a layer
q: how How do you support confluenceConfluence?
a: confluence Confluence has an ldap plugin but you had to do authenication via
ldap at one point, an option can allow you to use shib for
authentication. There ldap connector doesn't support ldap mods .