Grouper Developers Forum

["RL 'Bob' Morgan" <>]

> > I don't know, but I will ask our Shib people.  Quick question though, does 
> > that make what Im talking about easier?  :)
> >
> > Do you know some of the pros cons?
> >
> > Thanks!
> > Chris
>
> No, doesn't make your job easier.

It probably doesn't make the access control job easier but I definitely 
think it can make the overall job easier.  In my experience entitlements 
have to be created and supported one by one by IdP staff, including 
deciding on the value and mapping it to some way of determining 
membership.  By contrast, the whole point of a groups service like Grouper 
is that creation and maintenance of groups can be delegated to the people 
who are close to them.  So if groups have a standard expression as Shib 
attributes, a group can be defined and consumed by an app with no IdM-team 
involvement at all, which seems like a big win to me.

> My implicit question was, "Is it worthwhile to try to get to a situation 
> where there's a 'predominent community practice' on the attribute 
> expected by both IdPs and SP/RPs to carry group membership information?" 
> I imagine opinions vary.

I suppose they do.  I think it's unfortunate that the entitlement notion 
has impeded us from what seems to be a clear win in having a standard 
group attribute practice.

 - RL "Bob"