Refeds


Subject Re: Comparison of eP(S)A values
From Keith Hazelton <hazelton@xxxxxxxxxxxxx>
Date Thu, 01 Oct 2009 14:24:00 -0500

Andrew & all:

Brendan Bellina, USC, current chair of MACE-Dir supports this idea of an initiative to update the eduPerson spec, taking points raised in this thread as a starting point. I won't be at next week's I2 member meeting, but I will put together a discussion starter doc. & find someone from MACE-Dir to bring this up in the MACE-Dir Working Group session.

I guess a critical early question is whether MACE-Dir with its existing governance & process structures is a good enough and globally acceptable venue for this work. Please share your thoughts on this and the general proposal.

             --Keith
_________________
On Oct 1, 2009, at 11:14, Keith Hazelton wrote:

Seems reasonable to request MACE-Dir to do updates to the eduPerson spec. Back with more info shortly.

            --Keith Hazelton
____________
On Oct 1, 2009, at 04:02, Andrew Cormack wrote:

-----Original Message-----
From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
Sent: 22 September 2009 15:31
To: Andrew Cormack
Cc: REFeds; Mikael Linden; mace-dir
Subject: Re: [refeds] Comparison of eP(S)A values

Andrew, Mikael:

In the spirit of your conclusion, unless there are driving real world
use cases where the value "employee" becomes critical in an
interfederation context, it's probably not worth spending precious
cycles worrying our brains about it.

We very much hope that's the case

In general, MACE-Dir folks would like to know if there are real world
or planned usage scenarios for each of the other values.

As far as I know, the GN3 project is developing a set of use cases to
look at, so I'd hope that could either identify those requirements, or
else increase the likelihood that they don't exist.

My personal suspicion, and I've not yet found any counter- examples, is
that real-world access control (particularly for cross-domain
applications) either depends on simple membership of a particular
organisation or on being a particular person. There are some useful
groupings of particular people - students on course X is an obvious one,
or budget holders - but those seem to be ad hoc lists of particular
people rather than being derived from any other characteristic. Even if someone did try to implement an access rule that, for example, included faculty but excluded students then there are sufficient individuals who
are in both groups (most PhD students!) that the rule would be pretty
leaky anyway. Within a single organisation there may be use cases that
depend on things like "does this person have an employment contract",
but there the IdP and SP are going to be in the same management domain
so shouldn't suffer from different definitions of a particular value.

Finally, the trickier questions:  Should the eP spec be revised to
include something like your bolded definitions?  If so, what is the
process and who should be involved, who (or what organization) should issue it. If not, should your document be considered to "profile" eP
for inter-federation scenarios?

If possible, I'd much prefer simple definitions to be included in the
eduPerson spec. Putting them in an inter-federation profile risks
another federation discovering that they have chosen the wrong
interpretation only when they think about inter-federation, i.e. *after*
they have rolled it out to tens or hundreds of IdPs and SPs :-(

I don't know what the process for updating that spec is, but if there's anything I can do to help, please let me know. The suggested definitions in our paper are very much suggestions, but I'm very happy to make them
freely available if they are useful.

Cheers
Andrew

I can imagine how painstaking the efforts were in pulling
together that document,  thank you.   --Keith
__________
On Sep 22, 2009, at 04:12, Andrew Cormack wrote:

Keith/Michael

[Could one of you forward this to MACE-DIR, if appropriate, since
I'm
pretty sure it'll reject my attempt to post there?]

Many thanks for the feedback and for giving it time on the MACE-DIR
agenda. All suggestions, corrections and comments very welcome. I'm
planning on producing a final version of the paper after the Refeds
meeting in Rome on the 20-somethingth of October (that meeting
should
also produce some slides to accompany the paper). Comments in-line
below.

-----Original Message-----
From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
Sent: 21 September 2009 20:49
To: refeds@xxxxxxxxxx
Cc: Andrew Cormack; Mikael Linden; mace-dir
Subject: Re: [refeds] Comparison of eP(S)A values

We'll be talking over this usage comparison doc on today's MACE- Dir
call.

Please consider the following an historical note:

The value "employee" was included in the controlled vocabulary for
eP*A since the first release of eduPerson (1.0, Feb., 2001).  I
have
distinct memories (but no documents) that we included that
specifically to cover the UK case where teachers, researchers and
other workers are lumped under a single term.  "Employee" was
intended to serve as this single term. Unfortunately this intended
usage was never made explicit in the eduPerson specification.
According to Andrew and Mikael's usage comparison, the UK term of
preference would be "staff" rather than "employee."

Indeed it seems we latched onto "staff" as having that meaning,
whereas
everyone else followed the US in using that for
"non-faculty-workers"
and either used "employee" more or less as intended or ignored the
category. Sigh, especially if the whole reason for creating it was
to
meet the UK requirements :-(

I bring this up only because the proposed definition in the REFEDS
document is "staff" are "workers other than teachers or
researchers."  This would seem to go against UK Access Management
Federation usage. Is this particular category of affiliation worth
further discussion?

Indeed it is the reverse of our current usage, but it seems to be
what
everyone else uses it for, so I felt the document should go with the
majority.

I've suggested internally that we have a think about how much pain
would
be caused for UK federation IdPs if we were to ask them to swap
over the
terms, and for SPs in coping with a period of transition where the
meanings of both "staff" and "employee" will depend on whether or
not
the IdP concerned has switched. I'm hoping that not too many SPs
have
decided to use that value in their authorisation decisions so that
only
a few are affected and we can persuade them that it's not
disastrous.

Overall I'm viewing "staff" as a problem that only requires us to
change
to fix it, whereas the use of "employee" is much more varied so if
we
want to standardise it then several federations will need to change
their current practice.

Best wishes
Andrew


               --Keith



--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and
Innovation
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company
limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG