shibboleth-dev - extremely first cut, some scenario's for managing ARPs
Subject: Shibboleth Developers
List archive
- From:
- To:
- Subject: extremely first cut, some scenario's for managing ARPs
- Date: Wed, 27 Feb 2002 11:14:29 -0500
On monday's call, I agreed to try to develop scenario's describing some of the more "likely" real-world situations we should expect to encounter on campuses. Once we agree on a set of use cases, we can start to explore the implications for the UI, and for the underlying campus middleware infrastructure.
- Jane Doe is teaching Chem 101. She has convinced a friend at another university to grant the Chem 101 students access to a controlled web site in the friend's department. Jane goes to the AA user interface, authenticates, and then enters an ARP that specifies that
- for any student in Chem 101
- accessing the target "friends web site"
- the attribute "enrolledCourse=Chem101" will be released.
- she also enters a filter blocking the release of EPPN (in case any individual student attempts to create their own ARP releasing EPPN)
Q's - how do we know Jane is authorized to do this?
- if a student creates their own ARP, attempting to override Jane's, would we, could we find Jane's filter? Or does the site admin have to enter that?
- Chem 101 again. Except the grad student TA enters the ARP. How do we know this person is authorized?
- Several faculty and grad students in the planetary geology group at State U are members of a multi-campus research project. One of the grad students manages ARPs for the group. A new controlled web site is created at Other U. The ARP manager enters a new ARP specifying:
- for any member of the planetary group
- accessing the site at Other U
- the attribute Extension URI="urn:mace:state.edu:group:geology:planetary-group" will be released
Q's - any authorization issues?
- presumably, we want the ARP manager to see a more user friendly UI than having to enter this URN... what should that look like?
- Joe, the office administrator in the Office of Faculty Governance, is also the webmaster for the office. He wants to give all the faculty access to a new web site containing the reports of a Task Force. He enters a new ARP specifying:
- for any member of the faculty
- accessing this new web site
- release the attribute "AFFILIATION=FACULTY"
- Jane Doe, the Department Manager in Physics, is also responsible for managing the ARPs controlling access to resources licensed by the department. The department licenses access to BLAH, a journal devoted to articles about the new sub-atomic BLAH particle. She enters an ARP specifying:
- for any member of the physics faculty
- for an grad student in Physics
- any undergraduate Physics concentrator
- accessing the BLAH journal site
- release the attribute Entitlement URI="urn:mace:blah.org:contract1234"
Q's - any authz over who can specify the release of this URI?
- a friendly UI.....
- semester roll-over. The site admin does something to remove all of the ARPs from the AA that are related to courses taught last semester..... and then loads the "standard set" of course-related ARPs for the upcoming semester.
--
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- extremely first cut, some scenario's for managing ARPs, Steven_Carmody, 02/27/2002
Archive powered by MHonArc 2.6.16.