Subject RE: Re: eP(S)A comparison
From "David L. Wasley" <dlwasley@xxxxxxxxxxxxx>
Date Fri, 28 Aug 2009 10:04:51 -0700

At 2:13 PM +0100 on 8/28/09, Andrew Cormack wrote:

 "Faculty" and "student" may be useful, but
as others have pointed out there are a very large number of people who
are both, so making something visible to one group and not the other
isn't going to keep many secrets!

This is the dilemma of whether a specific person should have the union of all privileges or an exclusive subset. There is no single answer; it depends ...

As an undergraduate I also had a paid position with the university so I had library privileges that other students didn't. Was that fair? Dunno.
  [affiliation == "student & "staff"; access == "staff"]

If I had been working in the Student Services office, could I have gained access to student financial records? Probably, but I should not have been allowed.
  [affiliation == "student & "staff"; access == "staff" and not "student"]

So again, I suggest looking at what the algorithm(s) are for determining appropriate access and then looking at the "attributes" that an IdP might provide which would be useful in exercising those algorithms. Maybe what we have now is fine for a large set of use cases but maybe additional ones are needed for more stringent cases.