Re: [regrep] [RS Issue] Internal Vs. External Users

[Matthew MacKenzie <mattm@adobe.com>]

David,

My experience has been that there is no such thing in an enterprise 
environment as a "registry user", but (ideally) there are typically 
"users with registry related roles, or group memberships".

Now, the more I think about this, the more I see that what we really 
need to do is abolish the concepts of User, Organization and possibly 
groups in the registry and replace them with a generic object called 
"Principal".  Principal would only be used to notionally indicate 
ownership or participation in a registry event.  Things like User 
queries would go away...because realistically we may not have the 
ability to return all users requested.  Maybe the registry only knows 
about principals who have visited it and participated in a registry 
function.

I really don't see why we even need to represent users and orgs in the 
static fashion that we do now.  All I really care about is assigning 
owsership of submitted content, and enforcing permissions. 

I think something is taking shape here.  I think we need to 
significantly change how we handle users.

-Matt



   

 
David Webber (XML) wrote:

>Matt,
>
>OK.  
>
>So this is over an above the SSO SMP support
>that Farrukh noted that we have already.
>
>I'm trying to understand the use case here a bit
>better.  With the SAML SSO request its clear
>that a user to trying to authentic using the SAML
>services.  So - we need to boot strap that - what
>happens the first time a user logs in  - and we
>do not know they have a SSO account yet?
>
>Brainstorming here - they go to "create new registry user" -
>and there they will have the chance to select 
>"Use existing SSO account", etc.
>
>I'm trying to see why the registry would need to query for
>a whole list of users - unless its a help function - to prompt
>the user to pick an existing account from a list?  Obviously
>that is prone to security violations and brute force password
>attacks...
>
>DW
>
>----- Original Message ----- 
>From: "Matthew MacKenzie" <mattm@adobe.com>
>To: "David Webber (XML)" <david@drrw.info>
>Cc: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>; <regrep@lists.oasis-open.org>
>Sent: Monday, January 24, 2005 8:31 AM
>Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
>
>
>  
>
>>Not exactly David.  SAML is not the whole story.  How does a SAML 
>>assertion parlay into a list of users when a registry client makes a 
>>request asking for User instances?
>>
>>
>>    
>>
>
>  
>