Re: RE: [provision] Basic operations (that should be explicit)

[Gary Cole <Gary.P.Cole@Sun.COM>]

I had in mind mainly the first: SUSPEND and RESUME.    Probably should have called them that (rather than enable and disable).  

Many platforms treat "lock-out" as a separate thing, and sometimes lockout is transient (an account is only locked out for a configurable period of time).  
I think of an identity or account *staying* suspended until it is explicitly resumed, but I'm not really hardcore about that.  

What do you think?

Gary
----- Original Message -----
From: "Sodhi, Gavenraj S" <Gavenraj.Sodhi@ca.com>
Date: Monday, May 3, 2004 1:55 pm
Subject: RE: [provision] Basic operations (that should be explicit)

> I am assuming the enable/disable functions are the same as the cross
> domain actions associated with User account provisioning 
> suspension and
> restoration of account access and privileges as well as 'lock-out' of
> account based on incorrect password entry(s).
> 
> 
> Gavenraj Sodhi
> Product Manager, eTrust
> Computer Associates
> 
> 
> -----Original Message-----
> From: Jeff Bohren [jbohren@opennetwork.com] 
> Sent: Monday, May 03, 2004 11:31 AM
> To: provision@lists.oasis-open.org
> Subject: RE: [provision] Basic operations (that should be explicit)
> 
> 
> I agree that we need to add an explicit rename. 
> 
> On the enable/disable and password operations I still have the same
> concerns as before. Specifically how does a client know for which PSOs
> those operations make sense. For instance our SPML service can be used
> to provision user accounts as well as organizations units and other
> object types. Obviously reset password does not make sense for
> oraganizational units.
> 
> Since it is too limiting to only support account provisioning in SPML,
> it does not make sense to me to include account specific 
> operations in
> the protocol.
> 
> Jeff Bohren
> Product Architect
> OpenNetwork Technologies, Inc
> 
> Try the industry's only 100% .NET-enabled identity management 
> software.Download your free copy of Universal IdP Standard Edition 
> today. Go to
> www.opennetwork.com/eval.
> 
> 
> 
> -----Original Message-----
> From: Gary Cole [Gary.P.Cole@Sun.COM] 
> Sent: Monday, May 03, 2004 2:06 PM
> To: provision@lists.oasis-open.org
> Subject: [provision] Basic operations (that should be explicit)
> 
> 
> I believe that certain basic operations should be explicit in the SPML
> protocol.  For one thing, this helps the protocol reflect the
> provisioning domain.  
> For another, it reduces dependence on schema.  
> 
> The most basic operations are CRUD:
> - Create
> - Rename
> - Update
> - Delete
> 
> We already have Add, Modify, and Delete, but I think that we 
> should call
> out Rename explicitly.  Renaming  has significant implications for the
> namespace and for references.
> 
> I think we should also have:
> - Enable
> - Disable
> - SetPassword
> - ResetPassword
> - ExpirePassword
> 
> I realize that one could almost perform an equivalent update by: 1)
> looking up the schema; and 2) finding the appropriate element or
> attribute; and 3) specifying an appropriate value.  However, that 
> methodwill differ for each PSP or target.  Basic operations should 
> be simple,
> and should not require schema knowledge.
> 
> What say you, grand mavens of provisioning?
> 
> Gary
> 
> 
> To unsubscribe from this mailing list (and be removed from the 
> roster of
> the OASIS TC), go to
> http://www.oasis-
> open.org/apps/org/workgroup/provision/members/leave_workgroup.php.
> 
> 
> To unsubscribe from this mailing list (and be removed from the 
> roster of
> the OASIS TC), go to
> http://www.oasis-
> open.org/apps/org/workgroup/provision/members/leave_workgroup.php.
> 
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the 
> roster of the OASIS TC), go to http://www.oasis-
> open.org/apps/org/workgroup/provision/members/leave_workgroup.php.
>