Talk:Catalyst Concordia Policy Workshop 2008

From Project Concordia

Jump to: navigation, search

I was unable to attend meeting but enjoyed reading the presentations, especially the use-case discussions.

From my perspective, much of the discussion could be factored into two components:

(1) issues around policy such as expressiveness, analysis, governance, admin models etc; also - systematic labeling of resources with meta-data.

(2) questions around run-time infrastructure - colocated PDP, lighter-weight PEP <--> PDP interface, availability of a rich class of PEPs (interceptor, multiple-language API bindings), ability to access resource or session meta-data flexibly on an as needed basis.

But two perspectives important for scenarios with Az-aware services/apps werent discussed - by Az-aware applications I mean those apps that explicitly consult with an Authorization service.

(a) What types of models and interfaces are required for such applications by designers and architects? Is some sort of "Authorization Bean" model required combining authorization information with information about secured resources needed? Is there a catalog of design patterns or templates for the Az component in Az-aware applications/services?

(b) How is the life-cycle of Az-aware application/service managed? In particular, given that applications should be designed independent of enterprise infrastructure, how is information about the Az-aspects of the application/service conveyed to the deployer? How does the deployer reconcile this with the enterprise architecture and Az policy?

And, finally - what is an entitlement, could someone provide me a definition or an example?

added 7/14/08 [Lucy Lynch - ISOC]

one definition currently in use:

"Entitlement: Entitlements form a specialized class of attributes important enough to call out separately. They can be used to identify specific group membership or eligibility to use a given resource. One method of deploying Shibboleth insulates the decision-making logic used by the IdP from the SP by expressing entitlements instead of several individual attributes."

see: [1] https://spaces.internet2.edu/display/SHIB/ShibbolethGlossary

examples turn up if you search, for example: The+case+for+a+scoped+version+of+eduPersonEntitlement

[2]

Retrieved from "http://projectconcordia.org/index.php/Talk:Catalyst_Concordia_Policy_Workshop_2008"