Subject Re: VO challenges - article
From "Cantor, Scott" <cantor.2@xxxxxxx>
Date Mon, 26 Oct 2015 13:48:50 +0000

On 10/26/15, 5:33 AM, "Niels van Dijk" <niels.vandijk@xxxxxxxxxx> wrote:

>VOs are ultimately about allowing groups of users to share resources.
>This often implies managing access to the resources. Only the VO knows
>who its members are and what role the user has in the VO. This is why
>many cross institutional and international VOs will/must maintain
>their own authorization management. Also campus IT will not manage
>individual attributes on a per user basis in their campus IDM. there
>are just to many users they would need to do this for.

Campus sysadmins don't want to do a lot of things that are in actual fact their job, but that doesn't change what their job is. If you don't want to manage user attributes (or more to the point, provide the rools for users to do so for their use cases), don't run an IDM system.

VOs have to do this stuff because they aren't provided the tools and services needed by the campuses. In the US, that's partly because of a historical disconnect between campus IT and research computing support in many places.

I can't imagine the funding agencies are that thrilled about continuing to fund the same infrastructure over and over for every project.

BTW, this is the same argument used by the campus LMS operators for LTI. Once you follow the argument to its conclusion, there's always an "associated" application for every service that can just as easily act as the IdP because it's better "positioned" to know all the right information.

-- Scott