OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

provision message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [provision] Working Group call 20040727.


Thank you, Doron.  I was able to find one more example:  Entrust 
GetAccess group memberships require an expiration date.

Cohen, Doron wrote:

>Gary,
>
>1. Here are relationship attributes examples for account provisioning : 
>
>a. SAP - User membership in roles carries expiration date
>b. Oracle Database - Membership of users in groups contains the 'default'
>attribute which means that that connection is active at login time.
>Connections that are not marked default are not in effect until explicit
>definition by the user
>c. CA-Top Secret - User connections to profiles involves expiration and
>ordering of user profile 
>d. IBM RACF - User authority in groups is part of the connection /
>membership details 
>
>2. In addition there are additional considerations :
>
>a.  When you come to consider extending account provisioning to deal with
>fine grain resources and be able associate users with network and
>application resources (whether directories , printers etc...) , you get into
>ACLs which are in fact relationships that require attributes.
>b. As every provisioning service may need to expose relationships to roles,
>policies and meta data governed by its automation model. I think the ability
>to express attributes for those relations is very helpful for similar
>reasons of the mentioned system in the examples above.
>
>Regards
>Doron
>
>Doron Cohen
>Chief Architect, Security BU
>BMC Software
>
>-----Original Message-----
>From: Gary P Cole [mailto:Gary.P.Cole@Sun.COM] 
>Sent: Tuesday, July 27, 2004 7:56 PM
>To: 'PSTC'
>Subject: [provision] Working Group call 20040727.
>
>
>Participants in this morning's working group call debated whether SPML 
>2.0 needs to support what we term "complex" relationships:  
>relationships where the connection itself has attributes.
>
>Attendees:
>- Rob Sherwood
>- Doron Cohen (BMC)
>- Jeff Bohren (Open Networks)
>- Gary Cole (Sun)
>
>Mr. Cohen took the position that the ability to express relationships in 
>SPML 2.0 should include the ability to express complex relationships.  
>Mr. Bohren explained that he will oppose support for complex 
>relationships--and indeed, will oppose making relationships explicit--if 
>this unduly complicates support for simple relationships. 
>
>Mr. Bohren requires 1) the ability to search based on relationships and 
>2) that the search result identify each connected object.  Mr. Bohren 
>can do this today with SPML 1.0, and will not accept any added 
>indirection that requires additional processing.
>
>Action Items:
>-------------
>1) Doron Cohen and Gary Cole will seek more examples of complex 
>relationships.  The goal is to demonstrate that the need to manage 
>complex relationships is general--and not specific to RACF.
>
>2) Jeff Bohren and Gary Cole will discuss Mr. Bohren's requirements to 
>search based on relationships.  The goal is to fully understand the 
>behavior that Mr. Bohren feels must be preserved, and to understand 
>where the current (strawman) proposal may fall short.
>
>The overarching goal is to see whether the proposal can be modified or 
>extended to meet both sets of requirements.
>
>Gary
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the
>OASIS TC), go to
>http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgro
>up.php.
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/provision/members/leave_workgroup.php.
>
>  
>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]