[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [provision] Multiple targets with the ONT proposal
The concept of targets and their respective schema is implicit in SPML 1.0 can be realized through the use of designated attributes or via naming convention as the identifier (such as the container in the DN in Jeff's example). Actually, this is true for all operations whether add, modify or search thus the use case of searching targets is achievable in SPML 1.0. Explicitly introducing the concept of targets is important for SPML 2.0 but it is my view that this should be achieved as part of the object/data model effort (aka. PrOM ) since targets are only a subset of the object model that is required for implementation of the use cases . As for the ability to relate to target specific schema, it is indeed a requirement and in our implementation of SPML SchemaRequest we have created the functionality to support this by including vendor specific attributes and object classes and I would like to see SPML 2.0 include this. It might be yet another requirement we need to add to the requirement docs. Doron Doron Cohen Chief Architect, Security BU BMC Software -----Original Message----- From: Gearard Woods [mailto:gewoods@us.ibm.com] Sent: Tuesday, March 02, 2004 11:09 PM To: Jeff Bohren Cc: provision@lists.oasis-open.org Subject: RE: [provision] Multiple targets with the ONT proposal While it may not have been a specific requirement in the 2.0 discussion at the last F2F, this certainly was a requirement in the 1.0 Use Cases (Query Available PSTs). I do believe that we should not hamstring ourselves by this document if our requirements have evolved beyond it, but the ability to query targets seems very important to me, and not solely in the RA->PSP scenario. Whatever about the argument regarding its relative importance in different conversation scenarios, I for one believe that the any reasonable proposal should not preclude the ability to perform the operation. I'd be interested in feedback from other members of the committee on the question. However you introduce the notion into the ONT proposal, I would highlight that I also believe it is important to associate targets with a specific schema. I also think it is valuable to provide an association between each target and the provisioned state (items/entries/PSOs or whatever other name you prefer) related to the target. Again, it would be useful to get other perspectives on this from the other provisioning vendors on the committee. Gerry "Jeff Bohren" <jbohren@opennetwork.com> "Jeff Bohren" <jbohren@opennetwork.com> 03/02/2004 07:16 AM To: <provision@lists.oasis-open.org> cc: Subject: RE: [provision] Multiple targets with the ONT proposal The ONT Proposal did not address the issue of multiple targets because it was not an explicitly a requirement. If this is something that the committee feels should be supported in SPML 2.0, it would probably be a good idea to add it to the requirements. Since SPML is designed to support RA->PSP and PST->PST provisioning, explicit targets really only apply to the RA->PSP case. For RA->PSP provisioning, it should be considered optional since not all PSPs expose underlying PSTs via the SPML service. For the RA->PSP case where the PSP exposes the underlying PSTs to the RA, there are at least three ways this could be handled in the ONT SPML 2.0 Proposal: 1) By adding an optional target element to the add, modify, delete verbs as well as the search results (this could be done similar to what is in the IBM proposal). An optional "list target" verb could be added to get a list of targets for the service. 2) By adding the target as an optional component of the SPML Identifier. Again, an optional "list target" verb could be added to get a list of targets for the service. 3) By treating targets as containers within the namespace of the provisioned object. For instance an account jbohren provisioned to an underlying RACF system could be named as "uid=jbohren, ou=racf1, dc=acme.com" where "ou=racf1, dc=acme.com" would be the RACF target. This approach is supportable in the SPML 1.0 spec, assuming that DN identifiers are used. By coincidence, this was also the approach used in the recent SAML 1.1 interop event that I participated in at the RSA conference last week. Jeff Bohren Product Architect OpenNetwork Technologies, Inc Try the industry's only 100% .NET-enabled identity management software. Download your free copy of Universal IdP Standard Edition today. Go to www.opennetwork.com/eval. -----Original Message----- From: Gearard Woods [mailto:gewoods@us.ibm.com] Sent: Tuesday, March 02, 2004 1:17 AM To: provision@lists.oasis-open.org Subject: [provision] Multiple targets with the ONT proposal I didn't want to muddle up the other discussion with this question but since we're not having a call tomorrow, I still haven't seen any clarification of the question of single/multiple targets with the ONT proposal. Gary raised the issue in his data model document and I echoed the concern in a follow-up e-mail. Jeff, can you offer some insights on this question? Thanks, Gerry
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]