Could we discuss the identification
attributes for a minute, because I think that sets the stage for the
discussion of state attributes?
In the email that teed this all up, I
wrote:
>
> To identify the account, Account has "target",
"name",
> and "guid" attributes. The account is usually
associated
> with some target, has a name that is changeable,
and
> may have an internal identifier
> that is not supposed to change.
>
When I say "Account", I think of this
as roughly equivalent to "ProvisionedObject". (I realize that
not all features of Account apply to every provisioned object,
but this doesn't bother me too much because not all features of
Account apply to every account. Target
accounts all different, but there are also common
features.)
Not every target supports "guid", but
it's common enough (especially among the modern targets) that it's
reasonable to model this as a common feature. We can simply
leave "guid" null or empty where it is unknown or
unsupported.
I don't want to leave this
"open" (i.e., an entirely arbitrary
attribute) because guid is pretty common and very
useful in managing the account. Where guid is supported, it is
the preferred identifier. It is *very* handy to keep a guid as
a native identifier, since this helps in detecting native renames
(and distinguishing a 'move' from a 'delete' and an 'add').
Where the target supports some kind of guid, I want to map that
value to an attribute that my management code
recognizes.
I'm guessing that everybody basically
buys this premise, because the discussion has centered on the
state-related attributes. Here's the part where I step off the
ledge...
I think of the state-related attributes
we've been discussing in the same way: common and useful where
supported, harmless and empty if unsupported. For example, it doesn't bother me at all if a
particular class of provisioned object doesn't support "disabled",
as long as the value that comes back is harmless (e.g., empty or
"NOT_SUPPORTED").
It's common enough (not just for
accounts, but also for policies and other objects) to add
objects disabled and then enable them at a later date.
This is such a common aspect of management that I'd prefer to model
this explictly as a well-known aspect of state.
I'm interested to know what
everyone thinks. I'm not sure everyone will agree with this
line of reasoning, but if this explains where I'm coming from, then
maybe you all can use it to explain things to me.
Gary
----- Original Message -----
Sent: Friday, March 26, 2004
9:32 AM
Subject: Re: [provision]
PSO/Account/ProvisionedState
This sounds
interesting. Defining multiple interfaces (as Gerry
suggests) sounds like a reasonable way to tease apart the facets
that interest some (but not necessarily all) of us. Tying
these to a common schema (as Jeff B suggests) seems like a
reasonable way to keep the whole thing from flying
apart.
I need a little more help
imagining how we'd structure this. I wanted to define a
bunch of common state-related attributes, but Jeff B and others
point out that not all of these apply to all types of
accounts. Perhaps none of these state-related attributes
(beyond "exists") apply to some kinds of provisioned
object.
I had imagined calling a method
like:
State
getProvisionedState(PSO-ID);
For an Account, I'd get back all the
attributes that apply:
<State
psoId='ID' exists='true' disabled='false' disableDate='NONE'
enableDate='NONE' expired='false' expireDate='DATE'
/>
For a provisioned object that
supports only "exists", I'd get back only "exists":
<State
psoId='ID' exists='true'/>
But it sounds to me from the
discussion above, that I might have to define a different schema
for each combination of attributes. Am I right about that,
or could 'Stateful' contain our "starter kit" of common
state-related attributes?
Would each kind of provisioned
object have to define in its schema which state-related attributes
it supports?
Or would I just call a different
method (e.g., #listSupportedStateAttributes)?
Or could I figure this out just
from the set of attributes returned by
#getProvisionedState(PSO-ID)?
Sorry if I'm misunderstanding
your suggestion. If so,
perhaps we should talk offline (rather than email
everyone).
Gary
----- Original Message -----
Sent: Thursday, March 25,
2004 7:51 PM
Subject: RE: [provision]
PSO/Account/ProvisionedState
I would not be opposed to having mulitple provisioning
interfaces, provided it was tied to a standard schema that
normatively defined what interfaces where appropriate for what
object classes. The clients still need to know what interfaces
would apply to what PSOs.
For example the SPML core operations could apply to all
object classes but the SPML state operations may only apply to
an object class that inherits from a "Stateful" object class in
a standard schema (note that SPML 1.0 supports multiple
inheritance so this is easy). This way the schema for the
resource does not even need to extend an abitrary "Account"
schema, it merely needs to extend the "Stateful" schema.
Jeff Bohren
OpenNetwork
-----Original Message-----
From:
Gearard Woods [mailto:gewoods@us.ibm.com]
Sent: Thu
3/25/2004 6:01 PM
To: Jeff Larson
Cc:
Gary Cole; Jeff Bohren; provision@lists.oasis-open.org
Subject: RE: [provision]
PSO/Account/ProvisionedState
I agree that granularity of the calls is important and it
really shouldn't take 42 calls to determine the state of an
object - a single call should suffice. I think we can model
state effectively and still minimize the traffic needed to
manage it.
Jeff (Jeff B) has also raised the slippery
slope argument, and my take on it is that we should provide an
interoperable way to do the things we feel are a core part of
the provisioning process. There is a line here between what is
horizontal to provisioning and what is resource-specific.
State management is obviously important and passwords have
come up before, although Jeff B would argue that state is not
even relevant to most resources and is only applicable to
accounts.
The provisioning process is obviously not
the same thing to all people. We have disagreement even down
to the fundamentals of the provisioning model. Perhaps a way
to tackle these different viewpoints is to divide and conquer.
Imagine that we split up the problem into a number of
interfaces:
SPML core - Basic provision (add),
deprovision (delete), modify, list/search
SPML state - An
interface and schema representing state management (lifecycle
included or separate?)
SPML events - An interface and
schema for event notifications
SPML password - Password
management perhaps
SPML relationships -
TBD
Implementors must publish core to be SPML
compliant. They may then in turn overlay any of the other
interfaces to offer enhanced provisioning capabilities. These
would be simple interfaces with minimal schema but would be
complementary and all take advantage of the core schema.
Vendors who deal with directory-style interfaces need go no
further than the core interface while others may wish to offer
the full suite. Obviously these categories are just off the
top of my head but does this sound like an approach that has
promise?
Gerry
"Jeff
Larson" <Jeff.Larson@waveset.com>
I haven't been following this that
closely, but I like aspects of both approaches. I
like
the notion that
you can carry out near-universal operations like disable,
enable, and expire,
in a schema independent way. But I also like the
notion that I can at least obtain the current
state
from the model
so I don't have to make 42 web services calls to get
everything I want to display.
I guess as
long as the schema is arbitrary we can have it both ways. If I
choose
to use fine
grained standard operations I can. If the PSP exposes the same
functionality
through
the model, I can use that too, though I will be outside of the
SPML spec.
But we're on a slippery slope here. Almost every
account will have an associated
password, email address, and full name. Do we
then provide individual operations
to get and set those so we can access them in an
standard way without having to be
bothered with PSP specific schema? How far does
this go?
Jeff
-----Original Message-----
From: Gearard
Woods [mailto:gewoods@us.ibm.com]
Sent: Thursday, March 25, 2004 3:35 PM
To: Jeff
Bohren
Cc: Gary Cole;
provision@lists.oasis-open.org
Subject: RE:
[provision] PSO/Account/ProvisionedState
I think there's a fundamental difference here
even though the intent may be the same. Basically, we're all
trying to model state and provide some kind of standardized
view of it to the outside world so that we can offer
interoperability. By placing state in the resource schema you
have immediately abandoned the possibility that arbitrary
resource schema may be supported, which I believe to be
important. You are also now requiring a mapping from the
"standard" schema to the real resource schema. On the other
hand, by placing the emphasis on the service provider and
providing an operational interface to effect state changes,
the provider can now apply its knowledge of the resource to
make the state change however it wishes to do so and places no
restrictions on the resource schema.
Gerry