Refeds
Subject | Re: Comparison of eP(S)A values |
From | Keith Hazelton <hazelton@xxxxxxxxxxxxx> |
Date | Thu, 01 Oct 2009 11:14:24 -0500 |
Seems reasonable to request MACE-Dir to do updates to the eduPerson spec. Back with more info shortly.
--Keith Hazelton ____________ On Oct 1, 2009, at 04:02, Andrew Cormack wrote:
-----Original Message----- From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx] Sent: 22 September 2009 15:31 To: Andrew Cormack Cc: REFeds; Mikael Linden; mace-dir Subject: Re: [refeds] Comparison of eP(S)A values Andrew, Mikael: In the spirit of your conclusion, unless there are driving real world use cases where the value "employee" becomes critical in an interfederation context, it's probably not worth spending precious cycles worrying our brains about it.We very much hope that's the caseIn general, MACE-Dir folks would like to know if there are real world or planned usage scenarios for each of the other values.As far as I know, the GN3 project is developing a set of use cases to look at, so I'd hope that could either identify those requirements, or else increase the likelihood that they don't exist. My personal suspicion, and I've not yet found any counter-examples, is that real-world access control (particularly for cross-domain applications) either depends on simple membership of a particular organisation or on being a particular person. There are some usefulgroupings of particular people - students on course X is an obvious one,or budget holders - but those seem to be ad hoc lists of particularpeople rather than being derived from any other characteristic. Even if someone did try to implement an access rule that, for example, included faculty but excluded students then there are sufficient individuals whoare in both groups (most PhD students!) that the rule would be pretty leaky anyway. Within a single organisation there may be use cases that depend on things like "does this person have an employment contract", but there the IdP and SP are going to be in the same management domain so shouldn't suffer from different definitions of a particular value.Finally, the trickier questions: Should the eP spec be revised to include something like your bolded definitions? If so, what is the process and who should be involved, who (or what organization) should issue it. If not, should your document be considered to "profile" eP for inter-federation scenarios?If possible, I'd much prefer simple definitions to be included in the eduPerson spec. Putting them in an inter-federation profile risks another federation discovering that they have chosen the wronginterpretation only when they think about inter-federation, i.e. *after*they have rolled it out to tens or hundreds of IdPs and SPs :-(I don't know what the process for updating that spec is, but if there's anything I can do to help, please let me know. The suggested definitions in our paper are very much suggestions, but I'm very happy to make themfreely available if they are useful. Cheers AndrewI can imagine how painstaking the efforts were in pulling together that document, thank you. --Keith __________ On Sep 22, 2009, at 04:12, Andrew Cormack wrote:Keith/Michael [Could one of you forward this to MACE-DIR, if appropriate, sinceI'mpretty sure it'll reject my attempt to post there?] Many thanks for the feedback and for giving it time on the MACE-DIR agenda. All suggestions, corrections and comments very welcome. I'm planning on producing a final version of the paper after the Refeds meeting in Rome on the 20-somethingth of October (that meetingshouldalso produce some slides to accompany the paper). Comments in-line below.-----Original Message----- From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx] Sent: 21 September 2009 20:49 To: refeds@xxxxxxxxxx Cc: Andrew Cormack; Mikael Linden; mace-dir Subject: Re: [refeds] Comparison of eP(S)A values We'll be talking over this usage comparison doc on today's MACE-Dir call. Please consider the following an historical note: The value "employee" was included in the controlled vocabulary for eP*A since the first release of eduPerson (1.0, Feb., 2001). Ihavedistinct memories (but no documents) that we included that specifically to cover the UK case where teachers, researchers and other workers are lumped under a single term. "Employee" was intended to serve as this single term. Unfortunately this intended usage was never made explicit in the eduPerson specification. According to Andrew and Mikael's usage comparison, the UK term of preference would be "staff" rather than "employee."Indeed it seems we latched onto "staff" as having that meaning, whereas everyone else followed the US in using that for"non-faculty-workers"and either used "employee" more or less as intended or ignored the category. Sigh, especially if the whole reason for creating it wastomeet the UK requirements :-(I bring this up only because the proposed definition in the REFEDS document is "staff" are "workers other than teachers or researchers." This would seem to go against UK Access Management Federation usage. Is this particular category of affiliation worth further discussion?Indeed it is the reverse of our current usage, but it seems to bewhateveryone else uses it for, so I felt the document should go with the majority. I've suggested internally that we have a think about how much pain would be caused for UK federation IdPs if we were to ask them to swap over the terms, and for SPs in coping with a period of transition where the meanings of both "staff" and "employee" will depend on whether ornotthe IdP concerned has switched. I'm hoping that not too many SPshavedecided to use that value in their authorisation decisions so that only a few are affected and we can persuade them that it's notdisastrous.Overall I'm viewing "staff" as a problem that only requires us to change to fix it, whereas the use of "employee" is much more varied so ifwewant to standardise it then several federations will need to change their current practice. Best wishes Andrew--Keith-- Andrew Cormack, Chief Regulatory Adviser JANET(UK), Lumen House, Library Avenue, Harwell Science andInnovationCampus, Didcot, OX11 0SG, UK Phone: +44 (0) 1235 822302 Fax: +44 (0) 1235 822399 JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a companylimitedby guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
- References:
- Comparison of eP(S)A values
- From: Andrew Cormack
- Re: Comparison of eP(S)A values
- From: Keith Hazelton
- RE: Comparison of eP(S)A values
- From: Andrew Cormack
- Re: Comparison of eP(S)A values
- From: Keith Hazelton
- RE: Comparison of eP(S)A values
- From: Andrew Cormack
- Comparison of eP(S)A values
- Prev by Date: Re: publisher interface study
- Next by Date: Re: Comparison of eP(S)A values
- Previous by thread: RE: Comparison of eP(S)A values
- Next by thread: Re: Comparison of eP(S)A values
- Index(es):