Grouper Developers Forum

[Brendan Bellina <>]

One possible issue that comes to mind regarding uApprove is that the  
attributes and even values shown by uApprove may not mean very much to  
the user.  For example, our group dn's and entitlements as well are  
based on opaque identifiers.  So showing a user a list of isMemberOf  
values or ePAs and asking them to approve which ones can be released  
to an SP isn't really going to be very helpful.  uApprove would need  
to query for additional information about the groups and display that  
information in its interface or we would need to provide some kind of  
mapping document and expect the user to take the time to look them up  
before responding, and that isn't likely.  It isn't as simple as  
releasing a phone number or an email address, for which little or no  
explanation would be required.

Regards,

Brendan

On Sep 4, 2009, at 7:33 AM, 

 wrote:

> At 8:04 PM -0500 9/3/09, Michael A. Grady wrote:
> > It seems to me that this also raises some interesting questions  
> > about the *right* to release a group membership. If I create and  
> > maintain a group in which membership implies a person is a student,  
> > do I and the person running the IdP have the right to release that  
> > group membership without checking with the authoritative source for  
> > all things "student"  -- the Registrar? Managing group memberships  
> > can delegate the management of who has what entitlement, but I  
> > don't see that it helps much with the management of the ARPs within  
> > the IdP -- that would still take explicitly deciding to release a  
> > specific value (or set of values) to a specific service, and  
> > getting any and all necessary approvals ahead of time.
> >
> > Of course, the "easy solution" to that will be user consent for  
> > everything.  :-)
>
> Here at Brown, we're moving forward with installing the SWITCH  
> developed uApprove IdP plugin:
>
> http://www.switch.ch/aai/support/tools/uApprove.html
>
> Combined with a new Resolver plugin available in the brand new IdP  
> release, sites could configure a set of attributes that would  
> essentially be managed for release by each user. I was imagining  
> that 1) we'd have a conversation with the Registrar about this  
> functionality and get their "global blessing" for allowing every  
> student to manage the release of some of their attributes, and 2)  
> allow students to manage the release of attributes such as  
> Affiliation.
>
> Note that several months back I asked on the ICPL list whether  
> uApprove was "FERPA compatible", and two people whom I consider to  
> be FERPA experts responded positively. Even if a student has opt-ed  
> out under FERPA, clicking APPROVE to uApprove is sufficient for  
> FERPA related approval.
>
> Given the use cases people are exploring related to the release of  
> Group Membership information... what role, if any, do you see  
> uApprove possibly playing ?