Subject Re: VO challenges - article
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Tue, 27 Oct 2015 19:13:10 +0000

I think the granularity is even finer than you suggest. From my
experience working in EU projects (which are VOs) then there may be 2 or
3 staff only in each project/VO, most likely with different roles, so
this means the university would need to individually manage separate
attributes for a few thousand staff. Quite an administratively
heavyweight task, is it not. Its much better to let the VO manager (the
overall project lead, who may be at another university) or his
delegate(s) do this.

Which incidentally is the way we engineered VO management in Openstack



On 27/10/2015 19:01, Paul Caskey wrote:
> Good point.  Driving it through researchers has not worked in the past.
> Let me ask a question:  Suppose I am an R1 university and I have 50,000 students and 20,000 staff/faculty.  How many researchers who do this type of collaboration (and need automated attribute release) would I typically have?  I honestly don’t know, but I suspect the number would pale in comparison to the other two numbers.  And, I think IT has largely become driven by those who scream with the loudest voice.  Further, the benefits of automating attribute release aren’t clear to CIOs, I suspect.  Will it make researchers less likely to leave my university?  Will they give me some of their grant money?  :)
> That said, I, as a former IdP Operator, would have been able to easily make the case to support R&S for researchers, if my institution had been able to designate them accurately in the IdM system.  We tried several years ago to establish a “researcher” attribute, but the IdM teams never could seem to find a data source to tap into.  The research office knew, but there was no easy way to automate it.
> So, to ask a CIO to automate data release for 70,000 subjects when 2000 (or whatever) actually will use it, represents risk.
> However, were  registrar, etc to come to the CIO and ask for it specifically, I think it would happen.
> On 10/27/15, 1:10 PM, "Nick Roy" <nroy@xxxxxxxxxxxxx> wrote:
>> I like the idea of arming researchers with a white paper (see Mikael's note a few back that has a link to a letter in support of CoCo sent to EU university CIOs -
>> However, various permutations on this kind of researcher-focused, targeted approach have been tried before.  When successful, it results in a few targeted research universities joining the very small club of R&S supporters.  It doesn't get at the larger issue, which is that LIGO or the NIH or CERN or any of a number of other research efforts have collaborators at places we as federation operators and IAM practitioners have no idea about, and no way of targeting.
>> The larger solution to the issue, I think, involves a massive communication campaign aimed at CIOs and Registrars on the level of EDUCAUSE (for US CIOs) and AACRAO (for US Registrars) - similarly broad venues in the EU, Asia/Pacific, etc, if they are available.  Then, coupling that with incentives at a federation level.  Maybe you get a discount on your participation fees if you support R&S (that might work for InCommon, probably very different support/incentive model in other feds).
>> Nick
>> On 10/27/15, 11:44 AM, "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx> wrote:
>>>>> [Mark] I don't think 'perceived risk' is the issue here.  There are no
>>>>> users here asking for this and so it is not on anyone's to-do list.  I
>>>>> think it would be an easy sell if it were a priority for someone not in
>>> IT.
>>>> In my experience, most researchers in research VOs don't know what
>>> federated
>>>> identity is or what it would buy them, so it's not surprising that they're
>>> not
>>>> asking. If the VO has a computing person (or, fates forbid, a computing
>>> group),
>>>> someone in the VO might know about identity federation and  want to enable
>>> it
>>>> for their collaboration. Would having someone from NIH contact you and say
>>>> "can you support R&S entity category for us so we can enable research for
>>>> people on your campus" be enough to get it done? Because, if so, I might
>>> be
>>>> able to arrange that.
>>> [Mark] I believe that having the right researcher ask would get the job done
>>> here.
>>>> In any case, I can assure you from personal experience that it is not the
>>> case
>>>> that all IdP operators simply need to be asked and will then start
>>> supporting
>>>> research VOs, even with R&S attributes. There are some large research
>>>> campuses that we (LIGO) have been asking on many levels, including having
>>> on-
>>>> campus researchers ask on our behalf, and still have not gotten R&S
>>> support.
>>>> The reasoning we're given supports Nick's assertions - there is a
>>> perceived risk
>>>> that someone somewhere on campus can't sign off on. Whether that is the
>>> only
>>>> or most pressing reason it is not done I can't know.
>>>> Warren
>>> [Mark] I think Nick's FERPA argument is persuasive.  Maybe a combination of
>>> asking and arming the researchers with a prepared white paper that addresses
>>> commonly perceived risks?