A Go-To-Meeting telcon was hosted by OASIS on April 29, 2015, for initial discussion of the draft "IAM TC" submission among OASIS Member stakeholders.
Invited to this telcon were OASIS members identified by the instigators of this proposal (Martin Smith and John Tolbert) as likely to have specific interest in identity and access management (IAM), and/or long experience in OASIS processes.
Agenda--
Review of OASIS New TC process (Chet Ensign--OASIS)
DIscussion of draft IAM TC new-TC submission package
Review of immediate next steps
This message covers only the "meat" of the discussion of the draft submission, attempting to extract key issues raised that should result in some revision of the draft.
It is our intention to collect these points and others raised via comments on this discussion list, and to propose a disposition of all comments/suggestions that will be reflected in the final submission to OASIS.
Main points of discussion from the April 29 telcon:
1. TC name: Several people suggested that the working name ("IAM TC") might suggest that all OASIS work related to this area was somehow "under" the proposed TC: someone used the phrase "one ring to rule them all." This is definitely not the intent, so we're looking for a TC name that would avoid that impression.
2. Nature of the principal deliverables: this is obviously a key element of any TC proposal, and several people sought clarification of the term "logical system design." The discussion raised issues around the level of abstraction of the deliverables, and also the question of whether the system design (or architecture or model...) would accommodate a variety of standards, or would specify only specific standards or only OASIS standards.
3. IAM capability selector: One participant suggested the Framework might provide a useful tool for implementers to identify those components of an IAM system that would be required to meet their specific use-cases. We agreed that the proposed deliverables would support this use as it would document traceability between high-level requirements (use cases) and specific sets of IAM components.
4. Use of "scenarios": One person noted the absence of this term in the draft. I responded that I intended to include scenarios and use-cases as part of the requirements process, but agreed it would be helpful to state this explicitly.
5. Testing: interspersed in the discussion were comments on the proposal's emphasis on creating a "testable" framework. It was noted that developing tests that were abstracted from a particular technology would be challenging.
6. Scope--separation of duties: one person said the capability to enforce separation of duties (e.g., to prevent insider fraud) would be addressed by the TC. John Tolbert suggested that this capability could be included as a requirement to be satisfied by the IAM system design. :
Martin
Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 506-0159
703 389-3224 mobile