RE: [provision] Working Group call 20040727.

["Cohen, Doron" <Doron_Cohen@bmc.com>]

Gary,

1. Here are relationship attributes examples for account provisioning : 

a. SAP - User membership in roles carries expiration date
b. Oracle Database - Membership of users in groups contains the 'default'
attribute which means that that connection is active at login time.
Connections that are not marked default are not in effect until explicit
definition by the user
c. CA-Top Secret - User connections to profiles involves expiration and
ordering of user profile 
d. IBM RACF - User authority in groups is part of the connection /
membership details 

2. In addition there are additional considerations :

a.  When you come to consider extending account provisioning to deal with
fine grain resources and be able associate users with network and
application resources (whether directories , printers etc...) , you get into
ACLs which are in fact relationships that require attributes.
b. As every provisioning service may need to expose relationships to roles,
policies and meta data governed by its automation model. I think the ability
to express attributes for those relations is very helpful for similar
reasons of the mentioned system in the examples above.

Regards
Doron

Doron Cohen
Chief Architect, Security BU
BMC Software

-----Original Message-----
From: Gary P Cole [mailto:Gary.P.Cole@Sun.COM] 
Sent: Tuesday, July 27, 2004 7:56 PM
To: 'PSTC'
Subject: [provision] Working Group call 20040727.


Participants in this morning's working group call debated whether SPML 
2.0 needs to support what we term "complex" relationships:  
relationships where the connection itself has attributes.

Attendees:
- Rob Sherwood
- Doron Cohen (BMC)
- Jeff Bohren (Open Networks)
- Gary Cole (Sun)

Mr. Cohen took the position that the ability to express relationships in 
SPML 2.0 should include the ability to express complex relationships.  
Mr. Bohren explained that he will oppose support for complex 
relationships--and indeed, will oppose making relationships explicit--if 
this unduly complicates support for simple relationships. 

Mr. Bohren requires 1) the ability to search based on relationships and 
2) that the search result identify each connected object.  Mr. Bohren 
can do this today with SPML 1.0, and will not accept any added 
indirection that requires additional processing.

Action Items:
-------------
1) Doron Cohen and Gary Cole will seek more examples of complex 
relationships.  The goal is to demonstrate that the need to manage 
complex relationships is general--and not specific to RACF.

2) Jeff Bohren and Gary Cole will discuss Mr. Bohren's requirements to 
search based on relationships.  The goal is to fully understand the 
behavior that Mr. Bohren feels must be preserved, and to understand 
where the current (strawman) proposal may fall short.

The overarching goal is to see whether the proposal can be modified or 
extended to meet both sets of requirements.

Gary


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgro
up.php.