Re: [provision] RE: Account-specific operations (was"Basic Operations...")

[Gary P Cole <Gary.P.Cole@Sun.COM>]

Jeff,

I didn't mean that only accounts are provisioned.  I meant that *mainly*
accounts are provisioned.  I did assert that a PSP must *necessarily manage
accounts* (whereas, for example, a PSP need not manage other kinds of
objects to be called a PSP).  That's kind of what I had in mind by saying
that accounts are *primary*.

Suspend and resume (or enable/disable) are provisioning operations that are
implemented differently on different types of targets.  Some targets have an
explicit flag, attribute, or setting.  On others, such as Solaris, our
product disables an account by setting the password to a randomly generated
value.  (I mentioned this in the Ballad of Joe-Bob, which I sent earlier
today under the subject "Higher-level Scenario for Basic Use Cases".)

Password operations are kind of the same thing.  Some targets won't let you
set a password without knowing the old password, some targets will let an
administrator do this (but not a regular user).  It is the job (and indeed,
part of the purpose of a PSP) to implement such operations on different
types of targets.  Where it cannot, a PSP usually logs or displays for that
operation some kind of error message specific to that target.  That could
even be as simple as "operation 'blah' not supported by target XYZ".

If password is too specific, we could say 'expireCredentials' instead.  For
that matter, we could generalize 'setPassword' to 'setCredentials' (or add a
separate 'setCertificates').  I'm just trying to keep it simple.  The vast
majority of credentials are still passwords, and it's okay with me if a
minority of targets throw UnsupportedOperationException.

I think these are the kind of things that bring the protocol closer to the
domain of real-world provisioning.  Doesn't everybody who's a provisioning
vendor have to do these kinds of things?  There's always some fuzz around
the edges (i.e., data in the tails of a normal distribution), but shouldn't
we follow the 80:20 rule?

I'm willing to follow the majority, but our majority have been fairly
silent. :-)

Gary
----- Original Message ----- 
From: "Jeff Bohren" <jbohren@opennetwork.com>
To: <provision@lists.oasis-open.org>
Sent: Monday, May 03, 2004 2:41 PM
Subject: [provision] RE: Account-specific operations (was "Basic
Operations...")



Even if you assume (which I don't) that only accounts are provisioned,
there still needs to be a way to determine what kind of accounts support
what kind of operations. For instance Solaris accounts don't support
suspend/restore semantics. Also the difference between set and reset
password is not universal among system that use passwords.

Another interesting case would be provisioning accounts for which
passwords are meaningless altogether. For instance if an RA was making a
provisioning request to a PSP to create accounts strictly for the use
SAML, WS-Federation, or Liberty SSO, that account may never have a
password. In this case suspend/restore makes sense, but the password
operations don't.

Or you may be provisioning end user accounts for use by a web service
enforcement agent. The agent may authorize calls made on the part of an
end user by an authenticated client, where the client never actually
authenticated directly to the agent and does not have a password on that
system.

While I would agree that most provisioning operations on a given service
would concern accounts, that does not mean that other kinds of objects
can be given secondary status. That would severely limit the usefulness
of the spec for no benefit.

I would assume the following:
1) Not all PSOs are accounts
2) Not all PSOs that are accounts can be suspended
3) Not all PSOs that are accounts have passwords
4) Not all PSOs that are accounts and have passwords have password
expirations

Given those assumptions, I don't see any gain in including
suspend/restore and password semantics in the core SPML protocol. It
would only make thing more complicated than they currently are.

Jeff Bohren
Product Architect
OpenNetwork Technologies, Inc

Try the industry's only 100% .NET-enabled identity management software.
Download your free copy of Universal IdP Standard Edition today. Go to
www.opennetwork.com/eval.



-----Original Message-----
From: Gary Cole [mailto:Gary.P.Cole@Sun.COM]
Sent: Monday, May 03, 2004 2:54 PM
To: Jeff Bohren
Cc: provision@lists.oasis-open.org
Subject: Account-specific operations (was "Basic Operations...")


I've been thinking about this a lot lately (of course, this doesn't mean
that I'm right, just that I'm trying), and I believe that provisioning
is *and should be* account-centric.

The organizations, groups, roles, and rights defined by a target are
relatively static.  The vast majority of the time, we are creating
accounts.  These may *refer* to (or belong to) organizational units,
groups, and roles, but they don't always *need* to.

I would assert that with respect to provisioning:
1) *accounts* are primary
2) account *memberships* in containers are secondary
3) *container* objects themselves are tertiary.

I really hope we can find a way to agree, because I think this is
important.  We (all the PSTC members) have talked at cross-purposes
occasionally, since each of us come from different points-of-view.

We had a little bit of a breakthrough when we distinguished "white-box"
from "black-box" PSPs.

I'm hoping that the distinction between "internal" and "external"
provisioning may do something like that again.  External provisioning is
the simple case, in which services are well-defined and very few choices
are exposed.  In such a case, you don't see the other enterprise's org
tree, and you may not want to make your operations schema-dependendent.
However, you still need to be able to enable/disable the identity and
set/reset/expire passwords.

Taking a different tack, let's look at it terms of necessity and
sufficiency.  I think we'd all agree that it's *necessary* for a PSP to
create accounts. Some might even argue that creating, deleting and
modifying accounts is *sufficient* for a PSP. It is NOT necessary for a
PSP to create organizational units, although this is desirable.

If we can agree that it's okay for provisioning to be account-centric, I
think we'll be money ahead.  This will make the protocol easier to
understand, easier to adopt, and better adapted to the basic use cases.

Gary
----- Original Message -----
From: Jeff Bohren <jbohren@opennetwork.com>
Date: Monday, May 3, 2004 1:31 pm
Subject: RE: [provision] Basic operations (that should be explicit)

>
> On the enable/disable and password operations I still have the same
> concerns as before. Specifically how does a client know for which PSOs

> those operations make sense. For instance our SPML service can be used

> to provision user accounts as well as organizations units and other
> object types. Obviously reset password does not make sense for
> oraganizational units.
>
> Since it is too limiting to only support account provisioning in SPML,

> it does not make sense to me to include account specific operations in
> the protocol.
>
> Jeff Bohren
> Product Architect
> OpenNetwork Technologies, Inc
>
> Try the industry's only 100% .NET-enabled identity management
> software.Download your free copy of Universal IdP Standard Edition
> today. Go to
> www.opennetwork.com/eval.
>
>
>
> -----Original Message-----
> From: Gary Cole [Gary.P.Cole@Sun.COM]
> Sent: Monday, May 03, 2004 2:06 PM
> To: provision@lists.oasis-open.org
> Subject: [provision] Basic operations (that should be explicit)
>
>
> I believe that certain basic operations should be explicit in the SPML

> protocol.  For one thing, this helps the protocol reflect the
> provisioning domain.
> For another, it reduces dependence on schema.
>
> The most basic operations are CRUD:
> - Create
> - Rename
> - Update
> - Delete
>
> We already have Add, Modify, and Delete, but I think that we
> should call
> out Rename explicitly.  Renaming  has significant implications for the
> namespace and for references.
>
> I think we should also have:
> - Enable
> - Disable
> - SetPassword
> - ResetPassword
> - ExpirePassword
>
> I realize that one could almost perform an equivalent update by: 1)
> looking up the schema; and 2) finding the appropriate element or
> attribute; and 3) specifying an appropriate value.  However, that
> methodwill differ for each PSP or target.  Basic operations should be
> simple, and should not require schema knowledge.
>
> What say you, grand mavens of provisioning?
>
> Gary
>
>
> To unsubscribe from this mailing list (and be removed from the
> roster of
> the OASIS TC), go to
> http://www.oasis-
> open.org/apps/org/workgroup/provision/members/leave_workgroup.php.
>
>
> To unsubscribe from this mailing list (and be removed from the
> roster of the OASIS TC), go to http://www.oasis-
> open.org/apps/org/workgroup/provision/members/leave_workgroup.php.
>


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgroup.php.