Grouper Developers Forum

At 8:04 PM -0500 9/3/09, Michael A. Grady wrote:
> It seems to me that this also raises some interesting questions 
> about the *right* to release a group membership. If I create and 
> maintain a group in which membership implies a person is a student, 
> do I and the person running the IdP have the right to release that 
> group membership without checking with the authoritative source for 
> all things "student"  -- the Registrar? Managing group memberships 
> can delegate the management of who has what entitlement, but I don't 
> see that it helps much with the management of the ARPs within the 
> IdP -- that would still take explicitly deciding to release a 
> specific value (or set of values) to a specific service, and getting 
> any and all necessary approvals ahead of time.
>
> Of course, the "easy solution" to that will be user consent for 
> everything.  :-)

Here at Brown, we're moving forward with installing the SWITCH 
developed uApprove IdP plugin:

http://www.switch.ch/aai/support/tools/uApprove.html

Combined with a new Resolver plugin available in the brand new IdP 
release, sites could configure a set of attributes that would 
essentially be managed for release by each user. I was imagining that 
1) we'd have a conversation with the Registrar about this 
functionality and get their "global blessing" for allowing every 
student to manage the release of some of their attributes, and 2) 
allow students to manage the release of attributes such as 
Affiliation.

Note that several months back I asked on the ICPL list whether 
uApprove was "FERPA compatible", and two people whom I consider to be 
FERPA experts responded positively. Even if a student has opt-ed out 
under FERPA, clicking APPROVE to uApprove is sufficient for FERPA 
related approval.

Given the use cases people are exploring related to the release of 
Group Membership information... what role, if any, do you see 
uApprove possibly playing ?