[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [provision] Working Group call 20040727.
Thank you, Doron. I was able to find one more example: Entrust GetAccess group memberships require an expiration date. Cohen, Doron wrote: >Gary, > >1. Here are relationship attributes examples for account provisioning : > >a. SAP - User membership in roles carries expiration date >b. Oracle Database - Membership of users in groups contains the 'default' >attribute which means that that connection is active at login time. >Connections that are not marked default are not in effect until explicit >definition by the user >c. CA-Top Secret - User connections to profiles involves expiration and >ordering of user profile >d. IBM RACF - User authority in groups is part of the connection / >membership details > >2. In addition there are additional considerations : > >a. When you come to consider extending account provisioning to deal with >fine grain resources and be able associate users with network and >application resources (whether directories , printers etc...) , you get into >ACLs which are in fact relationships that require attributes. >b. As every provisioning service may need to expose relationships to roles, >policies and meta data governed by its automation model. I think the ability >to express attributes for those relations is very helpful for similar >reasons of the mentioned system in the examples above. > >Regards >Doron > >Doron Cohen >Chief Architect, Security BU >BMC Software > >-----Original Message----- >From: Gary P Cole [mailto:Gary.P.Cole@Sun.COM] >Sent: Tuesday, July 27, 2004 7:56 PM >To: 'PSTC' >Subject: [provision] Working Group call 20040727. > > >Participants in this morning's working group call debated whether SPML >2.0 needs to support what we term "complex" relationships: >relationships where the connection itself has attributes. > >Attendees: >- Rob Sherwood >- Doron Cohen (BMC) >- Jeff Bohren (Open Networks) >- Gary Cole (Sun) > >Mr. Cohen took the position that the ability to express relationships in >SPML 2.0 should include the ability to express complex relationships. >Mr. Bohren explained that he will oppose support for complex >relationships--and indeed, will oppose making relationships explicit--if >this unduly complicates support for simple relationships. > >Mr. Bohren requires 1) the ability to search based on relationships and >2) that the search result identify each connected object. Mr. Bohren >can do this today with SPML 1.0, and will not accept any added >indirection that requires additional processing. > >Action Items: >------------- >1) Doron Cohen and Gary Cole will seek more examples of complex >relationships. The goal is to demonstrate that the need to manage >complex relationships is general--and not specific to RACF. > >2) Jeff Bohren and Gary Cole will discuss Mr. Bohren's requirements to >search based on relationships. The goal is to fully understand the >behavior that Mr. Bohren feels must be preserved, and to understand >where the current (strawman) proposal may fall short. > >The overarching goal is to see whether the proposal can be modified or >extended to meet both sets of requirements. > >Gary > > >To unsubscribe from this mailing list (and be removed from the roster of the >OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgro >up.php. > >To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgroup.php. > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]