OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pmrm message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pmrm] PMRM TC: possible simplifications in the original PMRMServices

Some suggestions inline.  I hope they are useful.

Susan

On 8/18/11 6:39 PM, Michael Willett wrote:
015801cc5df7$b48b8710$1da29530$@rr.com" type="cite">

John S and I have assembled a number of comments

from PMRM TC members over time and have discussed

at length possible simplifications in the PMRM Services

that may address some of your concerns (and confusion).

 

The objective is to make the Methodology/PMRM

as simple as possible, but not any simpler (to quote Einstein).   

 

In the original work that led to the current 10 Services,

the Agent, Usage, and Access services were ‘different’

in their nature, being services that largely invoked other services.

 

Consideration:

 

   - Agent: Acts as the ‘persona’ for the underlying Actor/system.

      Consider expanding the Interaction service to include

      the Agent capability.

 

   - Usage: handles ‘subsequent’ handling of PI.

     Consider absorbing that capability into the Control service.

 

  - Control: Manages agreements/permissions re: PI.

     But, the term ‘control’ is already over-loaded; eg,

     we talk about privacy ‘controls’, which are at a

     different logical level in the architecture.

 

     Consider changing the name of Control to something else:

     one possibility is Usage, expanded meaning (above).

 

      Anyone have a better name suggestion?

      “Manage” is way too broad. 

How about "Data Manager"?  Or "Attribute Manager"?
015801cc5df7$b48b8710$1da29530$@rr.com" type="cite">

 

   - Access: Grant subject access to PI held by other Actors.

     One consideration is to collapse Access into Interaction.

      But, Access is a fundamental function. Let’s keep

      it distinct for the moment.

 

   - Security: Elevate Security to Service status.

 

   - Audit: Manages the ‘log’. Absorb Audit into Enforcement.

I think this is problematic, unless by "absorb," you mean as a separate entity explicitly defined within Enforcement.  If so, makes sense.
015801cc5df7$b48b8710$1da29530$@rr.com" type="cite">

 

Net: New Services –

             Core Policy Services. 19

                  Agreement 19

                                    20Usage (new = Control + Usage)

                  Security

      

                Privacy Assurance Services  21

                  Validation. 21

                  Certification. 22..............................................................................................................................

                  Enforcement 25 (absorb Audit)

             Presentation and Life Cycle Services. 26

                  Interaction. 26 (including Agent)

                  Access

 

Now, consider the 7 function-category set under each Service:

 

1.       DEFINE [SVC] operational requirements

2.       SELECT [SVC] (input, process, and output) information and parameters

3.       INPUT [SVC] information and parameter values in accordance with Select

4.       PROCESS [SVC] information and parameter values within Functions

5.       OUTPUT [SVC] information, parameter values, and actions

6.       LINK [SVC] to other (named) Services

7.       SECURE [SVC] with the appropriate security functions

 Define and Select are all part of setting up the invocation of the Service,

whose calculation is included in the (multiple) Process calls/invocations.

 

Think like programmers: Services are “called” by other Services (like programming ‘procedures’

in my day). So, Link is part of what the privacy management system does among Services.

I'm confused, but it might just be a simple issue.  Shouldn't one of the inputs to services 1-7 be time? 
015801cc5df7$b48b8710$1da29530$@rr.com" type="cite">

And, given that Security is a Service, any Service can ‘link’ to Security. That is,

Security need not be called out explicitly.

I'm really confused here.  I would think we would want Security explicitly called out.  Perhaps I am missing the picture of what is happening.
015801cc5df7$b48b8710$1da29530$@rr.com" type="cite">

 

Net:

 

The fundamental Function categories under each Service are (just like for procedures) :

 

    - Setup

    - Input

    - Process

    - Output

 

Do you have a better word for Setup? Maybe, Configure? 

How about "Initialize"?
015801cc5df7$b48b8710$1da29530$@rr.com" type="cite">

 

We solicit your opinions on any/all of the suggestions above? Yea? Nay? Better ideas?

 

While I have your attention:

 

We use the terms Actor, Touch Point, and System. Can someone suggest

a precise definition for each that shows their mutual relationships?

The challenge: make them distinct.


Actor: Active people, devices, systems that initiate actions.

Touchpoint: The invocation of a service by another service; the invocation includes transfer of PII.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]