IETF Logo Mail Archive

Re: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension

Phillip Hunt <phil.hunt@independentid.com> Wed, 09 November 2022 18:16 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2305C14CE22 for <scim@ietfa.amsl.com>; Wed, 9 Nov 2022 10:16:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.793
X-Spam-Level:
X-Spam-Status: No, score=-6.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oSW_WzIeF24 for <scim@ietfa.amsl.com>; Wed, 9 Nov 2022 10:16:18 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5063AC14CF11 for <scim@ietf.org>; Wed, 9 Nov 2022 10:16:18 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id s196so16916405pgs.3 for <scim@ietf.org>; Wed, 09 Nov 2022 10:16:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=2PmaPSZ/G9ZI6Dq3vzJKCsPK49YVpils6VOeQ8R7dpU=; b=lmXirSjNZKjJWe2gn2oxOIYW+36vg2zDn2rah/1jHNQSDJXchy7H9TFzL2JqQ03aYm tvZf38K2WVheb1EFNUjoZBFsKtKPaCmDOgvpZ1t7YWifKcmIJf3zLZEbSTr15+yVacfX nXwcGTrNKazXIQMBqB2DvNe9h8qd2E+rTJGNv1fXagEjUOHeZLs8zvmiXXtvI9dZJmuE 5IJsvXp5tXoFPYLc2Z0G3pudFk5IqAOyOMuVhpqb8yodKUE1XbQ/mJlZtcK+miNqJRqN eaEu5q1T27+K+DxWRlcc18Jblj7VJYuBNdbngwlw32zdrlr9uD/ICl54pNY3FxrdlTR1 A9Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2PmaPSZ/G9ZI6Dq3vzJKCsPK49YVpils6VOeQ8R7dpU=; b=AkR49QR/qTUjbVdw7Yy57CVnAQCez/uYhnkN2NE59+ASLStlnSzlT4fw5qUFo/HxYT sq3tcbSU9citBE8HOcqxrX2RjtCJHW3yU0zH4dlzqa37IS9Z+BFe8Gb/ha/v/CtzqvO7 WQScYtNC6IMF3DLbDOCJMiNouQSwiKRQB3h4n+MtwZSyccBxXazhHDUFqNmXJSsxaNpt Of8vlfuiXvy6bBPamqINZoSAALpx9AYcIaEwdDKFE2RcD/R4nKtZLoKEhfYSLhpAXRGf Zwo9gQynlBCCzRJwhO9wYTyrbvFy/0+AUs5zzKNinp9t/hBpl7Jkqf/HLqk/adVzNlDw gxAg==
X-Gm-Message-State: ACrzQf2jRyKIWi9P4IHXgEX8w7+3jLAf4k6g7od9sHUYyRs+Bve5zLDE /4tDoqLFPVMy5LYfLBPtoLiaMA==
X-Google-Smtp-Source: AMsMyM53JhyEgK72jId4PrBaJhA0ALSeyEAb0cNRfCV66tx3UGMB76io0kO6/9PtzSRCLUUpzU6ZOw==
X-Received: by 2002:a65:68c1:0:b0:46e:e9c3:2ff1 with SMTP id k1-20020a6568c1000000b0046ee9c32ff1mr53519412pgt.510.1668017777075; Wed, 09 Nov 2022 10:16:17 -0800 (PST)
Received: from smtpclient.apple (node-1w7jr9plyoqwtbrgurt3js6t4.ipv6.telus.net. [2001:569:540c:4900:5122:1843:532e:8078]) by smtp.gmail.com with ESMTPSA id s11-20020a17090a13cb00b002071ee97923sm1496526pjf.53.2022.11.09.10.16.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Nov 2022 10:16:16 -0800 (PST)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <65CA47E5-D8E5-4144-90E0-1E9805E9F551@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9FAC416E-20E6-4D3D-8EDD-137BF6176A13"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 09 Nov 2022 10:16:15 -0800
In-Reply-To: <MW4PR19MB6959D35ED662AF74B2E5C866E13E9@MW4PR19MB6959.namprd19.prod.outlook.com>
Cc: Chad Vincent <chad.vincent@crashplan.com>, Danny Zollner <Danny.Zollner@microsoft.com>, "scim@ietf.org" <scim@ietf.org>
To: "Matt Peterson (mpeterso)" <Matt.Peterson=40oneidentity.com@dmarc.ietf.org>
References: <mailman.116.1667502003.4654.scim@ietf.org> <CAKXu=h99keXizyyikOfnnoN-ziEF_Rh5rkxo26n6DdijKJb=5g@mail.gmail.com> <MW4PR19MB6959D35ED662AF74B2E5C866E13E9@MW4PR19MB6959.namprd19.prod.outlook.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/vMoOP1pYb37DKULqgYWjKur_D1k>
Subject: Re: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 18:16:23 -0000

Danny,

Thanks for putting this forward.

I have not had time to read the draft. That said, having a discussion on this topic seems a priority. Unfortunately I don’t plan to implement it at this time.

I am trying to get some time to take a read from a compatibility (kind of like genart) perspective as I had some concerns from some of the comments. For example, 7643/7644 have some fundamental rules around “id” and other required attributes in order for basic features and discovery to work correctly.  I see Matt has already raised some of the issues.

ID is particularly important as it is THE core required attribute. All resource URIs paths are always  /<ResourceType>/<id> and once created are immutable. I would say this isn’t a “preference” issue but rather a compliance/compatibility issue.  

For “id” values, most implementations use GUID/UUIDs because this works well in most databases (especially NoSQL) and uniqueness doesn’t need to be checked at record creation time.  Some have opted for other formats(counters, MACs, etc) but the main practice seems to be consistency and permanence of the identifier.

I agree with all of Matt’s comments below.

Phillip Hunt
phil.hunt@independentid.com





> On Nov 9, 2022, at 9:02 AM, Matt Peterson (mpeterso) <Matt.Peterson=40oneidentity.com@dmarc.ietf.org> wrote:
> 
> Danny,  Chad, 
>  
> I agree with Chad’s feedback about id.   For us it would be best for us if Roles and Entitlements resources had the following attributes that match other SCIM resources (i.e. users, groups):
>  
> id ß this one is particularly important.   I think that the draft uses “value” instead of “id”.   I much prefer “id” as it is already assumed by most developers to be an immutable value that can be queried directly by URL (or referenced by contains/containsBy)
>  
> meta ß described in RFC7644 section 3.1.  meta.created and meta.lastChanged have been useful for us when dealing with users/groups
>  
> displayName – instead of “display” would be consistent with “displayName” on users and groups the name “suitable for display to end-users”.
>  
> description – instead of “type”?   For our Identity Management products, the human readable description of what a Role and Entitlement grants access to are very important.  In most application authorization models, this is the “description” of the role or “description” of the entitlement.
>  
> containsBy / contains – slight wording change to make it clear that this is a list of *ids*.  Consider reusing some of the wording from RFC 7644 that describes Group.member and User.memberOf?
>  
> --
> Matt
>  
> P.S. Sorry for taking so long to read this draft properly. It is important to us and, with the suggestions above, it matches the model we already use in our Identity Management products. 
>  
>  
> From: scim <scim-bounces@ietf.org <mailto:scim-bounces@ietf.org>> On Behalf Of Chad Vincent
> Sent: Thursday, November 3, 2022 3:09 PM
> To: scim@ietf.org <mailto:scim@ietf.org>
> Subject: Re: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
>  
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>  
> I love this - we use roles currently and having a more formal spec and ability for the client to read what's available could come in very handy in the future.  So mark me down as a 5.
>  
> However, these resources not including the common attributes set mandated by RFC 7643 section 3.1 should be explained/clarified in the RFC.  The Apache SCIMple library will have to handle these resources as special-cases since they won't have the required "id" field, for example.  That seems major enough to justify a paragraph.
>  
> ---------- Forwarded message ----------
> From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com <mailto:ncamwing@cisco.com>>
> To: SCIM WG <scim@ietf.org <mailto:scim@ietf.org>>
> Cc: 
> Bcc: 
> Date: Wed, 2 Nov 2022 23:40:10 +0000
> Subject: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
> Hello SCIMers,
>  
> We need feedback on to gauge support and adoption readiness of:
> https://datatracker.ietf.org/doc/draft-zollner-scim-roles-entitlements-extension/ <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-zollner-scim-roles-entitlements-extension%2F&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=tBa11%2Fiu9KqiI09Hj7jMIj1ylO0autjBHncMlTYKuAQ%3D&reserved=0>
> Please respond to this thread on the following:
>  
>  
>   1.  You have read the draft and believe it is ready to be adopted by the working group. Any other feedback on the content of the draft is welcomed too.
>   2.  You are willing to be an active contributor or reviewer of the document
>   4.  You support the draft and plan to implement
>   5.  You support the draft but have no time or plans to implement now, but can provide feedback
>   6.  You have no interest in the draft
>  
> Please provide your feedback by November 28th.
>  
> Thanks,
>    Nancy
>  
> 
> 
> 
> ---------- Forwarded message ----------
> From: Paul Lanzi <paul@remediant.com <mailto:paul@remediant.com>>
> To: SCIM WG <scim@ietf.org <mailto:scim@ietf.org>>
> Cc: 
> Bcc: 
> Date: Wed, 2 Nov 2022 16:50:26 -0700
> Subject: Re: [scim] Feedback and adoption readiness for draft-zollner-scim-roles-entitlements-extension
> #4 for me. 
> Thanks,
> --Paul
> ᐧ
>  
> On Wed, Nov 2, 2022 at 4:40 PM Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org <mailto:40cisco.com@dmarc.ietf.org>> wrote:
> Hello SCIMers,
>  
> We need feedback on to gauge support and adoption readiness of:
> https://datatracker.ietf.org/doc/draft-zollner-scim-roles-entitlements-extension/ <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-zollner-scim-roles-entitlements-extension%2F&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=tBa11%2Fiu9KqiI09Hj7jMIj1ylO0autjBHncMlTYKuAQ%3D&reserved=0>
> Please respond to this thread on the following:
>  
>  
>   1.  You have read the draft and believe it is ready to be adopted by the working group. Any other feedback on the content of the draft is welcomed too.
>   2.  You are willing to be an active contributor or reviewer of the document
>   4.  You support the draft and plan to implement
>   5.  You support the draft but have no time or plans to implement now, but can provide feedback
>   6.  You have no interest in the draft
>  
> Please provide your feedback by November 28th.
>  
> Thanks,
>    Nancy
>  
> _______________________________________________
> scim mailing list
> scim@ietf.org <mailto:scim@ietf.org>
> https://www.ietf.org/mailman/listinfo/scim <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=f2tiwDDzqDIAc5kxRVv68eML%2BRYKvXVmjsvghNhRqPY%3D&reserved=0>
> _______________________________________________
> scim mailing list
> scim@ietf.org <mailto:scim@ietf.org>
> https://www.ietf.org/mailman/listinfo/scim <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=f2tiwDDzqDIAc5kxRVv68eML%2BRYKvXVmjsvghNhRqPY%3D&reserved=0>
> 
>  
> -- 
> Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan
> chad.vincent@crashplan.com <mailto:chad.vincent@crashplan.com>
> 400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419
>  
>  <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrashplan.com%2F&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7Cb93c1a9df1ce43b1579108dabddfa2fd%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C638031065457274469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=E3DXK05Ij39M3yKNiydGKTgd2kDIaBJeE4R%2BLZlefuQ%3D&reserved=0>
>  
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email