Menu
▾
▴
[Bodington-developers] Group management web service / BEWT / MVN Forum / Shibb / VFS / ASK proj and so on
|
From: Adam M. <ada...@co...> - 2005-05-27 15:29:58
|
Thought this internal memo may provide some hors-d'oeuvres for thought. The more I think about it the more urgent the need for a group management web service interface for Bodington appears. Read the original posting then look at the bottom for my comments. _____ From: Adam Marshall [mailto:ada...@co...] Sent: 26 May 2005 13:35 To: 'Howard Noble'; 'Stuart Lee'; 'Peter Robinson'; 'Paul V Davis'; 'Sophie Clarke'; 'Adam Marshall'; 'Grazyna Cooper'; mat...@co...; col...@co... Subject: RE: LTG Projects meeting - thoughts... I was going to speak up in the meeting but I couldnt bring myself to do so (my sore throat y'see*): it strikes me that most of the projects / tools that LTG are involved with need to deal with the three A's (AAA): - account creation - authentication - authorisation A the first We can take a lead from UHI here I think. They have a piece of software called SIVA that will read an LDAP and create accounts in specified systems. Perhaps we should investigate. Or do registration have a mechanism to do this already? We should also look into the ELF 'wall' and try to establish a standard account creation web service interface which we implement for each separate tool we use. OKI's OSIDs may also help here. A the second The authentication is handled by webauth - this we know A the third I believe that the authorisation should be handled by Bodington. Generally a users groups etc would come from LDAP but I think it is very beneficial for Oxford to allow 'trusted' staff members to create their own groups, this cannot be done in the LDAP because such users will not be allowed to fiddle with its contents. Bodington allows groups to be created like this Systems need to be able to ask Bod 'is fred in group X?' and they also need to be able to use the group management interface of Bodington via a web service (WSRP) interface. To the administrator of the tool, it would look like the tool has its own group management facility. This requires some additions to Bod - but we will probably have to do these in the ASK project anyway. I haven't fully thought through the functions that are needed but enough people have said that such a service sounds like a good idea. Adam * too much shouting at LFC on the TV last night ----------------------------------- So BEWT will give us the CRUD operations for groups and will also allow us to get what groups a given user is in (or what people are in a given group). But it wont allow us be able to get ALL available groups out of Bodington. MVN has a need for this sort of thing and could be a good use case. I imagine the use case where tutor is setting up a new forum inside MVN. They need to be able to say 'this discussion room is only visible to members of group X'. Using BEWT, when a user A clicks through from Bod to MVN, MVN will try to display the discussion but will see an attribute 'this resource only available to group X'. MVN will ask Bodington 'what groups is user A in?' MVN gets the list and checks for the appropriate username and then either authorises or says naff off. Two issues here: 1/ yes we could pass group memberships as Shibb attrs but to me the above achieves a desirable separation 2/ if we do adopt the above then there are many application who will have to implement a method which has to retrieve a potentially long list of groups from Bod then do the searching and make a decision. It would be better if there was an extension to BEWT, ie a WS, where you could also Bodington if user A is in group X. This extension to BEWT would also be used by the VFS in the ASK project. And by a wiki when we get that together. BEWT finishes in August. Comments discussion????? adam -- Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. Shameless plug: Use the Bodington VLE http://bodington.org Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ Cheese of the month: Cheshire (not to be underestimated) |
