Subject RE: VO challenges - article
From "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx>
Date Tue, 27 Oct 2015 02:27:25 +0000

> >VOs are ultimately about allowing groups of users to share resources.
> >This often implies managing access to the resources. Only the VO knows
> >who its members are and what role the user has in the VO. This is why
> >many cross institutional and international VOs will/must maintain their
> >own authorization management. Also campus IT will not manage individual
> >attributes on a per user basis in their campus IDM. there are just to
> >many users they would need to do this for.
> Campus sysadmins don't want to do a lot of things that are in actual fact 
> their
> job, but that doesn't change what their job is. If you don't want to manage 
> user
> attributes (or more to the point, provide the rools for users to do so for 
> their
> use cases), don't run an IDM system.
[Mark] Either I have missed the point or you have.
Sysadmins managing user their user's attributes for the purposes of their 
institution is something that I would consider to be "their job", but managing 
VO specific attributes for VO purposes is not only not "their job" but it is 
unrealistic to expect ... which is what I thought was the point.

> VOs have to do this stuff because they aren't provided the tools and 
> services
> needed by the campuses. In the US, that's partly because of a historical
> disconnect between campus IT and research computing support in many places.
[Mark] It may be useful to debate a very specific example.  What tools are you 
envisioning that institutions should provide to external entities for managing 
user attributes?

> I can't imagine the funding agencies are that thrilled about continuing to 
> fund
> the same infrastructure over and over for every project.
> BTW, this is the same argument used by the campus LMS operators for LTI.
> Once you follow the argument to its conclusion, there's always an 
> "associated"
> application for every service that can just as easily act as the IdP because 
> it's
> better "positioned" to know all the right information.
> -- Scott
[Mark] The applications are better positioned to provide authorization, but 
NOT to provide authentication.  I am a campus LMS operator.  We do leverage 
LTIs.  But our LMS uses Shib instead of the LMS built in authentication.

Attachment: smime.p7s
Description: S/MIME cryptographic signature