RE: [provision] Multiple targets with the ONT proposal

[Gearard Woods <gewoods@us.ibm.com>]

While it may not have been a specific requirement in the 2.0 discussion at the last F2F, this certainly was a requirement in the 1.0 Use Cases (Query Available PSTs). I do believe that we should not hamstring ourselves by this document if our requirements have evolved beyond it, but the ability to query targets seems very important to me, and not solely in the RA->PSP scenario. Whatever about the argument regarding its relative importance in different conversation scenarios, I for one believe that the any reasonable proposal should not preclude the ability to perform the operation. I'd be interested in feedback from other members of the committee on the question.

However you introduce the notion into the ONT proposal, I would highlight that I also believe it is important to associate targets with a specific schema. I also think it is valuable to provide an association between each target and the provisioned state (items/entries/PSOs or whatever other name you prefer) related to the target. Again, it would be useful to get other perspectives on this from the other provisioning vendors on the committee.
Gerry



"Jeff Bohren" <jbohren@opennetwork.com>

"Jeff Bohren" <jbohren@opennetwork.com> 03/02/2004 07:16 AM

To: <provision@lists.oasis-open.org> cc: Subject: RE: [provision] Multiple targets with the ONT proposal

The ONT Proposal did not address the issue of multiple targets because it was not an explicitly a requirement. If this is something that the committee feels should be supported in SPML 2.0, it would probably be a good idea to add it to the requirements. Since SPML is designed to support RA->PSP and PST->PST provisioning, explicit targets really only apply to the RA->PSP case. For RA->PSP provisioning, it should be considered optional since not all PSPs expose underlying PSTs via the SPML service.

For the RA->PSP case where the PSP exposes the underlying PSTs to the RA, there are at least three ways this could be handled in the ONT SPML 2.0 Proposal:

1) By adding an optional target element to the add, modify, delete verbs as well as the search results (this could be done similar to what is in the IBM proposal). An optional "list target" verb could be added to get a list of targets for the service.

2) By adding the target as an optional component of the SPML Identifier. Again, an optional "list target" verb could be added to get a list of targets for the service.

3) By treating targets as containers within the namespace of the provisioned object. For instance an account jbohren provisioned to an underlying RACF system could be named as "uid=jbohren, ou=racf1, dc=acme.com" where "ou=racf1, dc=acme.com" would be the RACF target. This approach is supportable in the SPML 1.0 spec, assuming that DN identifiers are used. By coincidence, this was also the approach used in the recent SAML 1.1 interop event that I participated in at the RSA conference last week.


Jeff Bohren
Product Architect
OpenNetwork Technologies, Inc

Try the industry's only 100% .NET-enabled identity management software. Download your free copy of Universal IdP Standard Edition today. Go to www.opennetwork.com/eval.

-----Original Message-----
From: Gearard Woods [mailto:gewoods@us.ibm.com]
Sent: Tuesday, March 02, 2004 1:17 AM
To: provision@lists.oasis-open.org
Subject: [provision] Multiple targets with the ONT proposal


I didn't want to muddle up the other discussion with this question but since we're not having a call tomorrow, I still haven't seen any clarification of the question of single/multiple targets with the ONT proposal. Gary raised the issue in his data model document and I echoed the concern in a follow-up e-mail. Jeff, can you offer some insights on this question?
Thanks,
Gerry