[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
Matthew MacKenzie wrote: > David, > > My experience has been that there is no such thing in an enterprise > environment as a "registry user", but (ideally) there are typically > "users with registry related roles, or group memberships". > > Now, the more I think about this, the more I see that what we really > need to do is abolish the concepts of User, Organization and possibly > groups in the registry and replace them with a generic object called > "Principal". Principal would only be used to notionally indicate > ownership or participation in a registry event. Things like User > queries would go away...because realistically we may not have the > ability to return all users requested. Maybe the registry only knows > about principals who have visited it and participated in a registry > function. > > I really don't see why we even need to represent users and orgs in the > static fashion that we do now. All I really care about is assigning > owsership of submitted content, and enforcing permissions. > I think something is taking shape here. I think we need to > significantly change how we handle users. We have had Users, Organizations, Roles and Groups for several releases. I agree that over time we need to remove these and align with SAML and other security standards to define their replacement. I feel strongly however that we should not do this in version 3 since these would be major changes which I believe are too late to do at this stage in version 3. I propose we defer any changes in this area to version 4. > > -Matt > > > > > > David Webber (XML) wrote: > >> Matt, >> >> OK. >> So this is over an above the SSO SMP support >> that Farrukh noted that we have already. >> >> I'm trying to understand the use case here a bit >> better. With the SAML SSO request its clear >> that a user to trying to authentic using the SAML >> services. So - we need to boot strap that - what >> happens the first time a user logs in - and we >> do not know they have a SSO account yet? >> >> Brainstorming here - they go to "create new registry user" - >> and there they will have the chance to select "Use existing SSO >> account", etc. >> >> I'm trying to see why the registry would need to query for >> a whole list of users - unless its a help function - to prompt >> the user to pick an existing account from a list? Obviously >> that is prone to security violations and brute force password >> attacks... >> >> DW >> >> ----- Original Message ----- From: "Matthew MacKenzie" <mattm@adobe.com> >> To: "David Webber (XML)" <david@drrw.info> >> Cc: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>; >> <regrep@lists.oasis-open.org> >> Sent: Monday, January 24, 2005 8:31 AM >> Subject: Re: [regrep] [RS Issue] Internal Vs. External Users >> >> >> >> >>> Not exactly David. SAML is not the whole story. How does a SAML >>> assertion parlay into a list of users when a registry client makes a >>> request asking for User instances? >>> >>> >>> >> >> >> >> > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php. > > -- Regards, Farrukh
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]