Subject eP(S)A comparison (was RE: ePTID comparison)
From "Andrew Cormack" <Andrew.Cormack@xxxxxx>
Date Fri, 28 Aug 2009 08:24:45 +0100

> -----Original Message-----
> From: David L. Wasley [mailto:dlwasley@xxxxxxxxxxxxx]
> Sent: 27 August 2009 19:49
> To: refeds@xxxxxxxxxx; Core-UKFederation
> Cc: Andrew Cormack; Mikael Linden
> Subject: Re: [refeds] ePTID comparison
> Andrew,  I think what you are describing is eduPersonAffiliation, not
> epTID.

You're right, of course. I was also discussing ePTID in another mail
stream (also including Mikael as it happens)! Sorry for my confusion:
I've changed the subject now.
> Clearly the eP spec is U.S. centric (sorry about
> that) and we didn't consider a hierarchy when
> defining that object.  In our institutions and
> student may also be an employee.

Same is true here, and in most other countries. But I think those cases
are different, because that really is a person with two different roles.
What I was trying to get at were the automatic subsets - e.g. if I am
"faculty" then I am also "member" - since differences there seemed to
have the most potential for messing up service providers.

>  Faculty is a
> partially overlapping set with employee (some
> teachers are not paid employees) and/or student
> (some teachers are grad students) so the
> distinction is more along the lines of
> 'functional role' than any sort of hierarchy.

That matches Mikael's description of HAKA. Unfortunately it's not what
we have done in the UK: the most obvious difference is that for us
Faculty is a subset of Staff, whereas in other federations those appear
to be two disjoint subsets (other than individuals with two roles).

Am I right in thinking that in the US "Staff" are roughly those who
aren't Faculty? Your "staff clubs" may be rather different from ours in
that case ;-)

> "Member" is a derived value and can mean
> different things at different campuses.  In
> general, it is someone who is considered eligible
> for campus funded services.

Perhaps Member is the *only* derived value? With the others as possibly
overlapping subsets of it?

> Perhaps we need qualifiers (adjectives) on these values.

I'd be really reluctant to make the system any more complicated: we
already seem to have ample scope for different interpretations! My aim
in doing this was just to work out which values were used consistently,
so an inter-federating SP could use those in its access control rules
without having to think. Student, Faculty and Member (subject to the
wrinkles that Peter has pointed out) seem to be ok. And actually I think
those are probably the most important.

But we probably do need to point out to SPs that "Employee" has some
radically different interpretations at the moment: a Finnish SP who
applies that rule to IdPs in the UK is going to get a lot fewer matches
than they expect, and a UK SP who applies it to the Finns is going to
get a lot more. A Finnish SP who applies it to the French and Swiss
won't get any matches: the Swiss don't mention it and the French
explicitly prohibit it! And "Staff" has similar problems if transferred
across the UK borders.

I'm struck by the irony that it's the two countries that supposedly have
the same language that have come up with the different interpretations.
And the fact that the rest of Europe has, for once, sided with the US
against us ;-)

I'll re-write the document, and enquire locally whether there's any
possibility of modifying our interpretation.

> 	David
> -----
> At 3:01 PM +0100 on 8/27/09, Andrew Cormack wrote:
> >At the meeting in Malaga Mikael pointed out that the use of the ePTID
> >values "staff" and "employee" was significantly different, to the
> extent
> >that they are at different locations in the hierarchy of values,
> between
> >the HAKA and UK federations. In the UK "employee" is a sub-class of
> >"staff" whereas in HAKA "staff" is a subset of "employee"! This has
> >probably arisen because the eduPerson spec doesn't state the
> >relationship between these values. I offered to look at other
> >federations' definitions to see which values were used in a
> >way, and which weren't.
> >
> >The preliminary results, for the federations whose schemata are
> >available from the refeds wiki, are attached. I hope the diagrams are
> >obvious - values on the right-hand side are subsets of those to the
> left
> >of them.
> >
> >In fact there are only four federations for which I could work out
> >complete hierarchy, and those have four different variations!
> >
> >Please could RENATER and SWITCH confirm that I have understood their
> >definitions correctly? In particular for SWITCH I'm not clear whether
> or
> >not someone who is "alum" is also "member"; for RENATER (who
> >have the clearest definition - thanks), please could you confim
> whether
> >"retired" and "emeritus" get "member" as well?
> >
> >Of the other federations, the links from AAF and don't seem
> >be accessible to non-members; SIR, AAI@EduHr and SURFnet don't make
> >clear what their hierarchy of values is; and FEIDE, Swamid, and
> InCommon
> >refer to the original eduPerson specification, which is silent on the
> >question of hierarchy. If any of those would like to let me know what
> >their hierarchies look like then I'd be delighted to add them.
> >
> >The good news is that "affiliate", "alum", "student", "faculty" and
> >"walk-in-user" seem to be used consistently; the bad news is that
> >"staff", "employee", and possibly "member" don't.
> >
> >Cheers
> >Andrew
> >--
> >Andrew Cormack, Chief Regulatory Adviser
> >JANET(UK), Lumen House, Library Avenue, Harwell Science and
> >Campus, Didcot, OX11 0SG, UK
> >Phone: +44 (0) 1235 822302
> >Fax: +44 (0) 1235 822399
> >
> >JANET, the UK's education and research network
> >
> >JANET(UK) is a trading name of The JNT Association, a company limited
> >by guarantee which is registered in England under No. 2881024
> >and whose Registered Office is at Lumen House, Library Avenue,
> >Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> >
> >
> >
> >Content-Type: application/msword;
> >	name="ePSA comparison 0.01.doc"
> >Content-Description: ePSA comparison 0.01.doc
> >Content-Disposition: attachment;
> >	filename="ePSA comparison 0.01.doc"
> >
> >Attachment converted: Io HD:ePSA comparison 0.01.doc (WDBN/<IC>)
> (00BECA46)