Re: [regrep] [RS Issue] Internal Vs. External Users

[Farrukh Najmi <Farrukh.Najmi@Sun.COM>]

Matthew MacKenzie wrote:

> David,
>
> My experience has been that there is no such thing in an enterprise 
> environment as a "registry user", but (ideally) there are typically 
> "users with registry related roles, or group memberships".
>
> Now, the more I think about this, the more I see that what we really 
> need to do is abolish the concepts of User, Organization and possibly 
> groups in the registry and replace them with a generic object called 
> "Principal".  Principal would only be used to notionally indicate 
> ownership or participation in a registry event.  Things like User 
> queries would go away...because realistically we may not have the 
> ability to return all users requested.  Maybe the registry only knows 
> about principals who have visited it and participated in a registry 
> function.
>
> I really don't see why we even need to represent users and orgs in the 
> static fashion that we do now.  All I really care about is assigning 
> owsership of submitted content, and enforcing permissions.
> I think something is taking shape here.  I think we need to 
> significantly change how we handle users.

We have had Users, Organizations, Roles and Groups for several releases. 
I agree that over time we need to remove these and align with SAML and 
other security standards to define their replacement.

I feel strongly however that we should not do this in version 3 since 
these would be major changes which I believe are too late to do at this 
stage in version 3. I propose we defer any changes in this area to 
version 4.

>
> -Matt
>
>
>
>  
>
> David Webber (XML) wrote:
>
>> Matt,
>>
>> OK. 
>> So this is over an above the SSO SMP support
>> that Farrukh noted that we have already.
>>
>> I'm trying to understand the use case here a bit
>> better.  With the SAML SSO request its clear
>> that a user to trying to authentic using the SAML
>> services.  So - we need to boot strap that - what
>> happens the first time a user logs in  - and we
>> do not know they have a SSO account yet?
>>
>> Brainstorming here - they go to "create new registry user" -
>> and there they will have the chance to select "Use existing SSO 
>> account", etc.
>>
>> I'm trying to see why the registry would need to query for
>> a whole list of users - unless its a help function - to prompt
>> the user to pick an existing account from a list?  Obviously
>> that is prone to security violations and brute force password
>> attacks...
>>
>> DW
>>
>> ----- Original Message ----- From: "Matthew MacKenzie" <mattm@adobe.com>
>> To: "David Webber (XML)" <david@drrw.info>
>> Cc: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>; 
>> <regrep@lists.oasis-open.org>
>> Sent: Monday, January 24, 2005 8:31 AM
>> Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
>>
>>
>>  
>>
>>> Not exactly David.  SAML is not the whole story.  How does a SAML 
>>> assertion parlay into a list of users when a registry client makes a 
>>> request asking for User instances?
>>>
>>>
>>>   
>>
>>
>>  
>>
>
>
> To unsubscribe from this mailing list (and be removed from the roster 
> of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php. 
>
>


-- 
Regards,
Farrukh