This might be a very useful contribution to the BoK if we solve this problem for ourselves in a clean way.

Agree backend provisioning is an anti-pattern - but especially with Confluence (where there are no invites, and it's not realistic for IdPs to send attributes that would clearly mark the privileges), I've been using it quite often as the only usable way.

A clean best-practice document avoiding backend provisioning would be greatly appreciated I believe.

Cheers,
Vlad

PS: Solution-wise, I can imagine a separate service where users (with identities possibly scattered across a number of administrative domains) would get invited to join a group, and the target service would pull the privileges from this service .... but we are not there yet and we use backend provisioning :-)


On 17 November 2016 at 05:51, Sarah Squire <sarah@engageidentity.com> wrote:
Can we make "backend manual permissions provisioning" against the code of conduct?

Sarah Squire
Engage Identity

On Wed, Nov 16, 2016 at 8:49 AM, David Brossard <david.brossard@axiomatics.com> wrote:

Sounds like someone could use runtime fine-grained authorization ;-)


On Nov 16, 2016 9:41 AM, "Dobbs, George" <gdobbs@massmutual.com> wrote:

Thanks Andrew… I’ll sit tight unless I hear otherwise.

 

-- George

 

From: Andrew Hughes [mailto:andrewhughes3000@gmail.com]
Sent: Wednesday, November 16, 2016 10:38 AM
To: Dobbs, George
Cc: Thorsten H. Niebuhr [WedaCon GmbH]; DG-IDPro@kantarainitiative.org; megan@kantarainitiative.org; Shannon Taylor Kantara
Subject: [EXTERNAL]Kantara wiki access [was: Re: [DG-IDPro] Call for participation: Project teams forming now]

 

Hi George - there's a backend manual permissions provisioning step - it takes a day or so to take effect.

andrew.


Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8

AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security 

 

On Wed, Nov 16, 2016 at 7:34 AM, Dobbs, George <gdobbs@massmutual.com> wrote:

Thorsten –

 

Can you suggest how I can get access to make the updates indicated?  I got an ID at Kantara but don’t seem to have access to the confluence page.

 

-- George

 

From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Thorsten H. Niebuhr [WedaCon GmbH]
Sent: Wednesday, November 16, 2016 6:29 AM
To: DG-IDPro@kantarainitiative.org; megan@kantarainitiative.org; Shannon Taylor Kantara
Subject: [EXTERNAL]Re: [DG-IDPro] Call for participation: Project teams forming now

 

Thanks Andrew!

So I just started on the wiki for the subgroup (https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=85492303) and added the name of those in it (as far as I am informed). I also added a quick comment to that page with a short summary on what was discussed in the meetings so far on this point. Feel free to add missing points

May I ask the participants of the subgroup to add their (faked) mailadresses and timezones, so we can quickly agree on a Schedule for our calls?

@Megan/Shannon: what would be the next steps to get the dial-in details?

@all: I might not be available for the call today (sorry wednesday 18:00 (my time) is one of the points in time I am really hard to manage...)

Thx,

 

Thorsten

 


This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.


_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro


_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro



_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro




--
Vladimir Mencl

Senior Software Engineer

Research & Education 
Advanced Network NZ Ltd