Re: [scim] [⚠️] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension

Alice Wang <awang@zscaler.com> Tue, 22 November 2022 19:14 UTC

Return-Path: <awang@zscaler.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47ECAC14CEE1 for <scim@ietfa.amsl.com>; Tue, 22 Nov 2022 11:14:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.975
X-Spam-Level:
X-Spam-Status: No, score=-6.975 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zscaler.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnRxxRptyHvn for <scim@ietfa.amsl.com>; Tue, 22 Nov 2022 11:14:10 -0800 (PST)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6741FC14F75F for <scim@ietf.org>; Tue, 22 Nov 2022 11:14:10 -0800 (PST)
Received: by mail-pl1-x633.google.com with SMTP id y10so13399247plp.3 for <scim@ietf.org>; Tue, 22 Nov 2022 11:14:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zscaler.com; s=google; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=PAQQzGjmVWXr8bs+rytZ6DBzZS7rpeh5xBjlMY5DKk0=; b=h3FCKvzAjspw/S5VVOCZR+T2O7ROKadCqbQAUV58HSnQCXi9N6PHiyvckEm5GlFU21 pZGBKtFnxVFLyeS4uayh4ED7fjnlUTNoe24nNQi37nm5NJ3C2Yr+X/4UVbIsumFVWirg /UC5MPstO1R3ubIhKtkXIXZpQbr5Xa5y5/878=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PAQQzGjmVWXr8bs+rytZ6DBzZS7rpeh5xBjlMY5DKk0=; b=ve5CpkowTw0rCi00jyZyGMfMCWt4rqS3xUebqpl2UwNIjx/55+CgCpfamHDfLjFmPN JMKC3UJo2OlrmN+Tetoz88dUc8sUDDjITFiZxcjRCw3R7lFuQx3xf+8vX8Gkx3yzFhxT oaRQji9d30Pno3FY9D6eAqnFcWHZSaHIbWwknC2afSPUYgdPEuglOlFV998PjEoy66y8 7PZdg+L8H1OQ/HX4AjpyMhuAFusMZ0hqf7PAMGEqkOQrbppnc0gfU52i4LgojdURplaf 7f40/uMblYxK34cF+xKJEGwcIN9srQ3hzeK1cHbsIwNjuHw9uZbitjEQCPg6GFF3Ob/j F3wA==
X-Gm-Message-State: ANoB5pn8KZJO5JvdMpozAVNNSSYsTsPrA3fGYKuzjKpyC+O3T2G4Q971 wzPh4XoqGm0LzLj88gakJoVpA2T5zd7/qP4PTqpjTEThkKu+jSAERrLARMZ9Lc0O0uCsW5wXMzf cgcJe0ikJQMScIMbl+dagEt2F/kmpASopt8uZ/J4SOm+jiZTzyZ52lQ==
X-Google-Smtp-Source: AA0mqf70p5R4qw5VQckRLXG/6LjjRXKoMsI7HTzPrK4TO0Xd4JHppWJGuYlku3NsJjYFFQ0WkUINyw==
X-Received: by 2002:a17:902:f651:b0:187:190f:6aa7 with SMTP id m17-20020a170902f65100b00187190f6aa7mr5997961plg.131.1669144448323; Tue, 22 Nov 2022 11:14:08 -0800 (PST)
Received: from smtpclient.apple (d50-92-193-159.bchsia.telus.net. [50.92.193.159]) by smtp.gmail.com with ESMTPSA id 85-20020a621858000000b00572c12a1e91sm11060846pfy.48.2022.11.22.11.14.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Nov 2022 11:14:06 -0800 (PST)
From: Alice Wang <awang@zscaler.com>
Message-Id: <C00C4A53-7248-44A2-A39D-CA94C7D7F444@zscaler.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_5177AAF6-1F6E-4D73-947E-7E6CBF7256A6"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Tue, 22 Nov 2022 11:14:03 -0800
In-Reply-To: <CAKXu=h9BJ5KmM3vkyK2yj_K_nvxe7W2kVQ4fxucHwdkj3HoUtw@mail.gmail.com>
Cc: "Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com>, Danny Zollner <Danny.Zollner@microsoft.com>, Chad Vincent <chad.vincent@crashplan.com>
To: "scim@ietf.org" <scim@ietf.org>
References: <mailman.116.1667502003.4654.scim@ietf.org> <CAKXu=h99keXizyyikOfnnoN-ziEF_Rh5rkxo26n6DdijKJb=5g@mail.gmail.com> <MW4PR19MB6959D35ED662AF74B2E5C866E13E9@MW4PR19MB6959.namprd19.prod.outlook.com> <CAKXu=h9BJ5KmM3vkyK2yj_K_nvxe7W2kVQ4fxucHwdkj3HoUtw@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/gWsbloUtSZw_cAp5tLjeJZP01sg>
Subject: Re: [scim] [⚠️] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 19:14:14 -0000

#5 for me.   And I agree with the “id” and other required attributes discussion in previous email thread.


Thanks

Alice


> On Nov 9, 2022, at 9:17 AM, Chad Vincent <chad.vincent@crashplan.com> wrote:
> 
> I did have a side-discussion with Danny and he confirmed that the omission of the required SCIM fields is just an artifact of being a draft.
> 
> On Wed, Nov 9, 2022 at 11:02 AM Matt Peterson (mpeterso) <Matt.Peterson@oneidentity.com <mailto:Matt.Peterson@oneidentity.com>> wrote:
> Danny,  Chad,
> 
> 
> 
> I agree with Chad’s feedback about id.   For us it would be best for us if Roles and Entitlements resources had the following attributes that match other SCIM resources (i.e. users, groups):
> 
> 
> 
> id ß this one is particularly important.   I think that the draft uses “value” instead of “id”.   I much prefer “id” as it is already assumed by most developers to be an immutable value that can be queried directly by URL (or referenced by contains/containsBy)
> 
> 
> 
> meta ß described in RFC7644 section 3.1.  meta.created and meta.lastChanged have been useful for us when dealing with users/groups
> 
> 
> 
> displayName – instead of “display” would be consistent with “displayName” on users and groups the name “suitable for display to end-users”.
> 
> 
> 
> description – instead of “type”?   For our Identity Management products, the human readable description of what a Role and Entitlement grants access to are very important.  In most application authorization models, this is the “description” of the role or “description” of the entitlement.
> 
> 
> 
> containsBy / contains – slight wording change to make it clear that this is a list of *ids*.  Consider reusing some of the wording from RFC 7644 that describes Group.member and User.memberOf?
> 
> 
> 
> --
> 
> Matt
> 
> 
> 
> P.S. Sorry for taking so long to read this draft properly. It is important to us and, with the suggestions above, it matches the model we already use in our Identity Management products.
> 
> 
> 
> 
> 
> From: scim <scim-bounces@ietf.org <mailto:scim-bounces@ietf.org>> On Behalf Of Chad Vincent
> Sent: Thursday, November 3, 2022 3:09 PM
> To: scim@ietf.org <mailto:scim@ietf.org>
> Subject: Re: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
> 
> 
> 
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> 
> I love this - we use roles currently and having a more formal spec and ability for the client to read what's available could come in very handy in the future.  So mark me down as a 5.
> 
> 
> 
> However, these resources not including the common attributes set mandated by RFC 7643 section 3.1 should be explained/clarified in the RFC.  The Apache SCIMple library will have to handle these resources as special-cases since they won't have the required "id" field, for example.  That seems major enough to justify a paragraph.
> 
> 
> 
> ---------- Forwarded message ----------
> From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com <mailto:ncamwing@cisco.com>>
> To: SCIM WG <scim@ietf.org <mailto:scim@ietf.org>>
> Cc:
> Bcc:
> Date: Wed, 2 Nov 2022 23:40:10 +0000
> Subject: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
> 
> Hello SCIMers,
> 
> We need feedback on to gauge support and adoption readiness of:
> https://datatracker.ietf.org/doc/draft-zollner-scim-roles-entitlements-extension/ <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-zollner-scim-roles-entitlements-extension%2F&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=tBa11%2Fiu9KqiI09Hj7jMIj1ylO0autjBHncMlTYKuAQ%3D&reserved=0>
> Please respond to this thread on the following:
> 
> 
>   1.  You have read the draft and believe it is ready to be adopted by the working group. Any other feedback on the content of the draft is welcomed too.
>   2.  You are willing to be an active contributor or reviewer of the document
>   4.  You support the draft and plan to implement
>   5.  You support the draft but have no time or plans to implement now, but can provide feedback
>   6.  You have no interest in the draft
> 
> Please provide your feedback by November 28th.
> 
> Thanks,
>    Nancy
> 
> 
> 
> 
> 
> ---------- Forwarded message ----------
> From: Paul Lanzi <paul@remediant.com <mailto:paul@remediant.com>>
> To: SCIM WG <scim@ietf.org <mailto:scim@ietf.org>>
> Cc:
> Bcc:
> Date: Wed, 2 Nov 2022 16:50:26 -0700
> Subject: Re: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
> 
> #4 for me.
> 
> Thanks,
> 
> --Paul
> 
> ᐧ
> 
> 
> 
> On Wed, Nov 2, 2022 at 4:40 PM Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org <mailto:40cisco.com@dmarc.ietf.org>> wrote:
> 
> Hello SCIMers,
> 
> We need feedback on to gauge support and adoption readiness of:
> https://datatracker.ietf.org/doc/draft-zollner-scim-roles-entitlements-extension/ <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-zollner-scim-roles-entitlements-extension%2F&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=tBa11%2Fiu9KqiI09Hj7jMIj1ylO0autjBHncMlTYKuAQ%3D&reserved=0>
> Please respond to this thread on the following:
> 
> 
>   1.  You have read the draft and believe it is ready to be adopted by the working group. Any other feedback on the content of the draft is welcomed too.
>   2.  You are willing to be an active contributor or reviewer of the document
>   4.  You support the draft and plan to implement
>   5.  You support the draft but have no time or plans to implement now, but can provide feedback
>   6.  You have no interest in the draft
> 
> Please provide your feedback by November 28th.
> 
> Thanks,
>    Nancy
> 
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org <mailto:scim@ietf.org>
> https://www.ietf.org/mailman/listinfo/scim <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=f2tiwDDzqDIAc5kxRVv68eML%2BRYKvXVmjsvghNhRqPY%3D&reserved=0>
> _______________________________________________
> scim mailing list
> scim@ietf.org <mailto:scim@ietf.org>
> https://www.ietf.org/mailman/listinfo/scim <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=f2tiwDDzqDIAc5kxRVv68eML%2BRYKvXVmjsvghNhRqPY%3D&reserved=0>
> 
> 
> 
> --
> 
> Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan
> chad.vincent@crashplan.com <mailto:chad.vincent@crashplan.com>
> 400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419
> 
>  <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrashplan.com%2F&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=E3DXK05Ij39M3yKNiydGKTgd2kDIaBJeE4R%2BLZlefuQ%3D&reserved=0>
> 
> 
> 
> 
> --
> Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan
> chad.vincent@crashplan.com <mailto:chad.vincent@crashplan.com>
> 400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419
> 
>  <https://crashplan.com/>
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim