Re: [scim] Contributors needed for HR schema
Phillip Hunt <phil.hunt@independentid.com> Fri, 16 September 2022 17:12 UTC
Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41ADEC1524C4 for <scim@ietfa.amsl.com>; Fri, 16 Sep 2022 10:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GaXwRWe2fWe for <scim@ietfa.amsl.com>; Fri, 16 Sep 2022 10:12:53 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC78C1524C3 for <scim@ietf.org>; Fri, 16 Sep 2022 10:12:52 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id jm11so21995286plb.13 for <scim@ietf.org>; Fri, 16 Sep 2022 10:12:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date; bh=OGU/uCxzGpoIxwB6K0BZxMnUgTib/G5AG1mRNrLhysQ=; b=N6GL4yaE26ePDR50T8njuRy94/2T+v7eT2S1Uf3SlIPH0JPFVH2qC2nScLS3BZ6f3F d6acpGTNtIm6buuM0NjtxlAEsuZ44jLEGyyxA1/0yqLmVvOcijplwrx2W0fEBbmDbeCw my93q+EBBGFrdUtGZn+05sD4jFWTO/c3cB4IX/OGGfjR7RDdufdg3ZWY432GpVZsT10E 44F6m98Qy/q1h8KCNfE5+cMEqe//AUh+ioOVG6CfgG/ICwTweG9gCiTkLC89a/TKSmpO RYTHegvLWewWjrlAblKMIBxIp/yWcVfZEyzcya84vieKB7NylHk5uLV0BrSfMO0PZWAJ +MxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date; bh=OGU/uCxzGpoIxwB6K0BZxMnUgTib/G5AG1mRNrLhysQ=; b=j7xFSEGfH4GnkOjhYMcejWP91yMdnJxH7E5oX/hP+uHD2GNWQEphzGYRDTmI4qoM70 KBOxLpQXMDa7rMRX0EpprVl0RmRzhOLwDx6QmEJ23KHuSjpFpoj2hql4BNpLTTeXTjyd 9f6/eBo1ZmFPFCUjt/zfPpH6LwxCahFZCNtUmOStesMH1IuPd9rQszhidRwJbiPC2hix Ywn/gCmtLXpXIViMNfHVtj9K6DxIjI8tbyc18wWfr4/qtX/A/G74KiZ8TqbN0PiiPy/E Sb4qMS8fP7UL72dHwhdtV8kJACfBgg5MIIftjfaDyyRaWLnrNyStaDvj4gHk1Z4/swzo 06LA==
X-Gm-Message-State: ACrzQf0OUg5CtZ1OcC9c53qf5Y5pu2obFSvS6qtgr6U8GwjDDJHHr9Lr mERsbvj4XKHV5VYPPhxGr1MCeOVpF1HvJg==
X-Google-Smtp-Source: AMsMyM5y0mmxmpr+3QN3oZdzV4TmYC+oxTB+igHKfT7909wecsZ8oxejIEXIYaR6BxWVjvS+PhGuNg==
X-Received: by 2002:a17:90b:17c9:b0:202:640c:ec5 with SMTP id me9-20020a17090b17c900b00202640c0ec5mr6644971pjb.71.1663348371685; Fri, 16 Sep 2022 10:12:51 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9qrll22a5artu5tk8pg9.ipv6.telus.net. [2001:569:7a97:e700:ca0:a371:ca5b:2ad9]) by smtp.gmail.com with ESMTPSA id a12-20020a170902eccc00b00168dadc7354sm15315811plh.78.2022.09.16.10.12.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Sep 2022 10:12:51 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-F6B26AD7-1F13-42AC-A302-4FA8A5D0EF07"
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 16 Sep 2022 10:12:50 -0700
Message-Id: <5FE72A98-09D6-4754-83FD-8F5A1F513033@independentid.com>
References: <5503e6a3-d70f-bcd4-4250-5a8bf6829ea9@stroeder.com>
Cc: scim@ietf.org
In-Reply-To: <5503e6a3-d70f-bcd4-4250-5a8bf6829ea9@stroeder.com>
To: Michael Ströder <michael=40stroeder.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/FkamDB-I--hf6tyqWao2BKNgtRM>
Subject: Re: [scim] Contributors needed for HR schema
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 17:12:57 -0000
There are a few aspects I see with this subject… 1. Standardized schema. If HR vendors are going to build a common connector scim might be a candidate. The primary need for schema is to create a common definition that every one can work with. 2. Life-cycles, the life cycle of an employee, contractor, etc may be different than a user account. 3. Access control. In the case of SCIM, HTTP provides the common signaling between clients and servers (eg http unauthorized status etc). Instead, the access model that implements access decisions is up to the implementer. The interop of rules would only be needed if access control data was exchanged through the front channel as it was with some ldap systems. IMO putting acis in the front channel may not be the best from a security perspective. Access control should be handled via an administrative api. Thats just my thought. As an example, i2scim.io supports two and soon 3 access systems. It has had to support an updated ldapaci model for internal enforcement, Open Policy Agent (OPA) for external integration and am now considering Hexa IDQL (https://www.cncf.io/projects/hexa/). I think my point being, lets not define yet another access policy language. It seems to me that externalized policy administration and governance is likely to trend in the market and beyond the scope of our group. —> In other words, don’t get bogged down on the data access model for HR. Just focus on the likely common requirements that implementers should/must ensure. It is always up to the deployers to work with their legal council to ensure relevant compliance. 4. Extension mechanism. You could use extended schema (like enterprise user) to add HR attributes. I see two downsides with this approach: access controls will be much more complex because only a few clients should have access to see and update this data. This might adversely impact performance in security systems that need fast access to User resources. Another approach would be to create new resource types (eg hrPerson) that may reference Users. This would enable more restricted access to hrPerson resources and allow for differing entity lifecycles. It also avoids accidental release of information when a client retrieves a user resource not needing HR data. 5. API or directory: it is also important to consider whether scim is just an API supported by an HR system or whether SCIM acts as a “directory” an HR system coordinates with. Obviously this can influence many of the choices above (such as extension mechanism). In a co-ordinated deployment, using scim events can help support the appropriate de-coupling between information systems that is needed. I would avoid meta-directory style approaches that many of us old timers went through 20 years ago. 😵💫 Hope this info dump helps! Phil > On Sep 16, 2022, at 4:25 AM, Michael Ströder <michael=40stroeder.com@dmarc.ietf.org> wrote: > > Disclaimer: I don't consider myself a HR system expert. > >> On 9/16/22 06:54, Danny Zollner wrote: >> Creating a set of schemas for those that consume HR data would help >> with the problem of sending HR-related data to other systems > IMHO this is feasible. > >> but doesn’t solve the problem I described. > You're aiming at defining a SCIM schema for exchanging full HR data between HR systems of different vendors? I'm pretty sure none of the vendors are interested in that. > >> I took the name “Worker” from the implementations of some of the most prominent HR systems. A worker is typically a higher-level classification that represents full-time employees, contractors, interns, and other types of workers. > > This still sounds quite person-centric. > >> The status of the employment is defined in an attribute on the object. > > [..] >> Specific to data security concerns regarding an HR schema, I think input is needed from players in the HR/HCM industry on if it would be wise to include extremely sensitive information such as salaries and social security numbers in a worker resource. > > While AFAIK social security numbers are assigned to natural persons other HR data is bound to contracts. And in a HR system a natural person can have multiple contracts. So you would also have to model that. > > Coming from the IAM world I often consume HR data and the "person" objects I derive from that have attributes which indeed rather represent a contract (employee number, status, time-span). And then I bind the user accounts to these person contract objects. > > Ciao, Michael. > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- [scim] Contributors needed for HR schema Danny Zollner
- Re: [scim] Contributors needed for HR schema Danny Mayer
- Re: [scim] [EXTERNAL] Re: Contributors needed for… Danny Zollner
- Re: [scim] [EXTERNAL] Re: Contributors needed for… Danny Mayer
- Re: [scim] [EXTERNAL] Re: Contributors needed for… Danny Zollner
- Re: [scim] Contributors needed for HR schema Michael Ströder
- Re: [scim] Contributors needed for HR schema Phillip Hunt
- Re: [scim] Contributors needed for HR schema Kevin Kampman
- Re: [scim] [EXTERNAL] Re: Contributors needed for… Danny Mayer