Re: Comparison of eP(S)A values

[Keith Hazelton <hazelton@xxxxxxxxxxxxx>]

Seems reasonable to request MACE-Dir to do updates to the eduPerson  
spec.  Back with more info shortly.

            --Keith Hazelton
____________
On Oct 1, 2009, at 04:02, Andrew Cormack wrote:

> > -----Original Message-----
> > From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
> > Sent: 22 September 2009 15:31
> > To: Andrew Cormack
> > Cc: REFeds; Mikael Linden; mace-dir
> > Subject: Re: [refeds] Comparison of eP(S)A values
> >
> > Andrew, Mikael:
> >
> > In the spirit of your conclusion, unless there are driving real world
> > use cases where the value "employee" becomes critical in an
> > interfederation context, it's probably not worth spending precious
> > cycles worrying our brains about it.
>
> We very much hope that's the case
>
> > In general, MACE-Dir folks would like to know if there are real world
> > or planned usage scenarios for each of the other values.
>
> As far as I know, the GN3 project is developing a set of use cases to
> look at, so I'd hope that could either identify those requirements, or
> else increase the likelihood that they don't exist.
>
> My personal suspicion, and I've not yet found any counter-examples, is
> that real-world access control (particularly for cross-domain
> applications) either depends on simple membership of a particular
> organisation or on being a particular person. There are some useful
> groupings of particular people - students on course X is an obvious  
> one,
> or budget holders - but those seem to be ad hoc lists of particular
> people rather than being derived from any other characteristic.  
> Even if
> someone did try to implement an access rule that, for example,  
> included
> faculty but excluded students then there are sufficient individuals  
> who
> are in both groups (most PhD students!) that the rule would be pretty
> leaky anyway. Within a single organisation there may be use cases that
> depend on things like "does this person have an employment contract",
> but there the IdP and SP are going to be in the same management domain
> so shouldn't suffer from different definitions of a particular value.
>
> > Finally, the trickier questions:  Should the eP spec be revised to
> > include something like your bolded definitions?  If so, what is the
> > process and who should be involved, who (or what organization) should
> > issue it.  If not, should your document be considered to "profile" eP
> > for inter-federation scenarios?
>
> If possible, I'd much prefer simple definitions to be included in the
> eduPerson spec. Putting them in an inter-federation profile risks
> another federation discovering that they have chosen the wrong
> interpretation only when they think about inter-federation, i.e.  
> *after*
> they have rolled it out to tens or hundreds of IdPs and SPs :-(
>
> I don't know what the process for updating that spec is, but if  
> there's
> anything I can do to help, please let me know. The suggested  
> definitions
> in our paper are very much suggestions, but I'm very happy to make  
> them
> freely available if they are useful.
>
> Cheers
> Andrew
>
> >             I can imagine how painstaking the efforts were in pulling
> > together that document,  thank you.   --Keith
> > __________
> > On Sep 22, 2009, at 04:12, Andrew Cormack wrote:
> >
> > > Keith/Michael
> > >
> > > [Could one of you forward this to MACE-DIR, if appropriate, since
> I'm
> > > pretty sure it'll reject my attempt to post there?]
> > >
> > > Many thanks for the feedback and for giving it time on the MACE-DIR
> > > agenda. All suggestions, corrections and comments very welcome. I'm
> > > planning on producing a final version of the paper after the Refeds
> > > meeting in Rome on the 20-somethingth of October (that meeting
> should
> > > also produce some slides to accompany the paper). Comments in-line
> > > below.
> > >
> > > > -----Original Message-----
> > > > From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
> > > > Sent: 21 September 2009 20:49
> > > > To: refeds@xxxxxxxxxx
> > > > Cc: Andrew Cormack; Mikael Linden; mace-dir
> > > > Subject: Re: [refeds] Comparison of eP(S)A values
> > > >
> > > > We'll be talking over this usage comparison doc on today's MACE-Dir
> > > > call.
> > > >
> > > > Please consider the following an historical note:
> > > >
> > > > The value "employee" was included in the controlled vocabulary for
> > > > eP*A since the first release of eduPerson (1.0, Feb., 2001).  I
> have
> > > > distinct memories (but no documents) that we included that
> > > > specifically to cover the UK case where teachers, researchers and
> > > > other workers are lumped under a single term.  "Employee" was
> > > > intended to serve as this single term.  Unfortunately this intended
> > > > usage was never made explicit in the eduPerson specification.
> > > > According to Andrew and Mikael's usage comparison, the UK term of
> > > > preference would be "staff" rather than "employee."
> > >
> > > Indeed it seems we latched onto "staff" as having that meaning,
> > > whereas
> > > everyone else followed the US in using that for
> "non-faculty-workers"
> > > and either used "employee" more or less as intended or ignored the
> > > category. Sigh, especially if the whole reason for creating it was
> to
> > > meet the UK requirements :-(
> > >
> > > > I bring this up only because the proposed definition in the REFEDS
> > > > document is "staff" are "workers other than teachers or
> > > > researchers."  This would seem to go against UK Access Management
> > > > Federation usage.  Is this particular category of affiliation worth
> > > > further discussion?
> > >
> > > Indeed it is the reverse of our current usage, but it seems to be
> > what
> > > everyone else uses it for, so I felt the document should go with the
> > > majority.
> > >
> > > I've suggested internally that we have a think about how much pain
> > > would
> > > be caused for UK federation IdPs if we were to ask them to swap
> > > over the
> > > terms, and for SPs in coping with a period of transition where the
> > > meanings of both "staff" and "employee" will depend on whether or
> not
> > > the IdP concerned has switched. I'm hoping that not too many SPs
> have
> > > decided to use that value in their authorisation decisions so that
> > > only
> > > a few are affected and we can persuade them that it's not
> disastrous.
> > > Overall I'm viewing "staff" as a problem that only requires us to
> > > change
> > > to fix it, whereas the use of "employee" is much more varied so if
> we
> > > want to standardise it then several federations will need to change
> > > their current practice.
> > >
> > > Best wishes
> > > Andrew
> > >
> > > >                --Keith
> > >
> > >
> > >
> > > --
> > > Andrew Cormack, Chief Regulatory Adviser
> > > JANET(UK), Lumen House, Library Avenue, Harwell Science and
> > Innovation
> > > Campus, Didcot, OX11 0SG, UK
> > > Phone: +44 (0) 1235 822302
> > > Fax: +44 (0) 1235 822399
> > >
> > > JANET, the UK's education and research network
> > >
> > > JANET(UK) is a trading name of The JNT Association, a company
> limited
> > > by guarantee which is registered in England under No. 2881024
> > > and whose Registered Office is at Lumen House, Library Avenue,
> > > Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG