RE: [provision] Multiple targets with the ONT proposal

[Gearard Woods <gewoods@us.ibm.com>]

Doron,
My opinion is that since the target is a defined object in the provisioning model that the PSTC has defined, it would make sense to actually make its definition and use explicit. The problem with naming conventions or the use containers is that it requires fore-knowledge of these conventions, and they are hard if not impossible to discover progamatically.

I agree wholeheartedly that there should be a defined schema for a target in the SPML 2.0 effort. Gary has already taken some steps towards an initial definition and there is of course a definition in the WS-Provisioning proposal. It sounds like we are pretty much all agreed on this point.
Gerry

"Cohen, Doron" <Doron_Cohen@bmc.com>

"Cohen, Doron" <Doron_Cohen@bmc.com> 03/02/2004 11:58 PM

To: provision@lists.oasis-open.org cc: Subject: RE: [provision] Multiple targets with the ONT proposal

The concept of targets and their respective schema is implicit in SPML 1.0
can be realized through the use of designated attributes or via naming
convention as the identifier (such as the container in the DN in Jeff's
example). Actually, this is true for all operations whether add, modify or
search thus the use case of searching targets is achievable in SPML 1.0.

Explicitly introducing the concept of targets is important for SPML 2.0 but
it is my view that this should be achieved as part of the object/data model
effort (aka. PrOM ) since targets are only a subset of the object model that
is required for implementation of the use cases  .

As for the ability to relate to target specific schema, it is indeed a
requirement and in our implementation of SPML SchemaRequest we have created
the functionality to support this by including vendor specific attributes
and object classes and I would like to see SPML 2.0 include this. It might
be yet another requirement we need to add to the requirement docs.

Doron

Doron Cohen
Chief Architect, Security BU
BMC Software

-----Original Message-----
From: Gearard Woods [mailto:gewoods@us.ibm.com]
Sent: Tuesday, March 02, 2004 11:09 PM
To: Jeff Bohren
Cc: provision@lists.oasis-open.org
Subject: RE: [provision] Multiple targets with the ONT proposal


While it may not have been a specific requirement in the 2.0 discussion at
the last F2F, this certainly was a requirement in the 1.0 Use Cases (Query
Available PSTs). I do believe that we should not hamstring ourselves by this
document if our requirements have evolved beyond it, but the ability to
query targets seems very important to me, and not solely in the RA->PSP
scenario. Whatever about the argument regarding its relative importance in
different conversation scenarios, I for one believe that the any reasonable
proposal should not preclude the ability to perform the operation. I'd be
interested in feedback from other members of the committee on the question.

However you introduce the notion into the ONT proposal, I would highlight
that I also believe it is important to associate targets with a specific
schema. I also think it is valuable to provide an association between each
target and the provisioned state (items/entries/PSOs or whatever other name
you prefer) related to the target. Again, it would be useful to get other
perspectives on this from the other provisioning vendors on the committee.
Gerry



"Jeff Bohren" <jbohren@opennetwork.com>





"Jeff Bohren" <jbohren@opennetwork.com>
03/02/2004 07:16 AM

To: <provision@lists.oasis-open.org>
cc:
Subject: RE: [provision] Multiple targets with the ONT proposal


The ONT Proposal did not address the issue of multiple targets because it
was not an explicitly a requirement. If this is something that the committee
feels should be supported in SPML 2.0, it would probably be a good idea to
add it to the requirements. Since SPML is designed to support RA->PSP and
PST->PST provisioning, explicit targets really only apply to the RA->PSP
case. For RA->PSP provisioning, it should be considered optional since not
all PSPs expose underlying PSTs via the SPML service.

For the RA->PSP case where the PSP exposes the underlying PSTs to the RA,
there are at least three ways this could be handled in the ONT SPML 2.0
Proposal:

1) By adding an optional target element to the add, modify, delete verbs as
well as the search results (this could be done similar to what is in the IBM
proposal). An optional "list target" verb could be added to get a list of
targets for the service.

2) By adding the target as an optional component of the SPML Identifier.
Again, an optional "list target" verb could be added to get a list of
targets for the service.

3) By treating targets as containers within the namespace of the provisioned
object. For instance an account jbohren provisioned to an underlying RACF
system could be named as "uid=jbohren, ou=racf1, dc=acme.com" where
"ou=racf1, dc=acme.com" would be the RACF target. This approach is
supportable in the SPML 1.0 spec, assuming that DN identifiers are used. By
coincidence, this was also the approach used in the recent SAML 1.1 interop
event that I participated in at the RSA conference last week.


Jeff Bohren
Product Architect
OpenNetwork Technologies, Inc

Try the industry's only 100% .NET-enabled identity management software.
Download your free copy of Universal IdP Standard Edition today. Go to
www.opennetwork.com/eval.

-----Original Message-----
From: Gearard Woods [mailto:gewoods@us.ibm.com]
Sent: Tuesday, March 02, 2004 1:17 AM
To: provision@lists.oasis-open.org
Subject: [provision] Multiple targets with the ONT proposal

I didn't want to muddle up the other discussion with this question but since
we're not having a call tomorrow, I still haven't seen any clarification of
the question of single/multiple targets with the ONT proposal. Gary raised
the issue in his data model document and I echoed the concern in a follow-up
e-mail. Jeff, can you offer some insights on this question?
Thanks,
Gerry

To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgroup.php.