University of Glasgow

Right People, Right Stuff, Right Pain?
Session Summary

John Byrne, James Currall, Colin Farrow

Version 1.0

June 2002

Setting the Scene

A brief introduction by James Currall (Glasgow) and two ten minute presentations from Colin Farrow (Glasgow) and John Byrne (York) outlining:-

• needs
• difficulties
• issues

that Glasgow and York face in allowing the right people to see the right stuff.

Discussion of the Issues and input from Delegates Perspective

A discussion was in two groups:

• non-techies - facilitated by James Currall
• techies - facilitated by John Byrne and Colin Farrow

General Discussion and 'What can I Do?'

James Currall lead this discussion, drawing on the discussion in groups. The groups’ discussion fell into two parts (plus another session later):-

Getting the Right People information

There was general agreement that there is a need for good quality, people information covering all those who need access to information in an institution.

• Good people data is the result of good institutional processes. If the processes are not in place and working then getting a comprehensive directory of people is more of less impossible.
• Getting good people data requires investment in good processes, which initially cost money, but which pay for themselves fairly quickly.
• People who are neither paid staff nor enrolled students (often referred to as ‘associates’) are a difficult problem, because it is difficult to identify who is responsible for them and there are rarely good processes in place to handle them
• Getting rid of people who should no longer be included needs to have suitable process to ensure ‘Single Sign Off’ (one action removes all entitlements). It is difficult because:-
  • students often remain around writing up or helping out, etc. with an undefined status,
  • processes are generally less well developed for this job than for adding new people (recruitment, matriculation, etc.)
  • someone has to remember to action the process,
  • people who have left but still have access don’t complain (unlike those that have joined and don’t have access),

For the most part, although having Right People information is very important to those who have to manage access to information and systems, they are not in the position to solve it. The people who are (registry, Human Resources, etc.) will only own the problem if they see value (to them) in tackling it.

Groups (and how to build them)

Groups are used to model roles within the organisation and were generally agreed to be a good way to provide (moderately) fine-grained access control to information.

These are three types of group:-

Robot Groups

formed automatically from rules based on institutional process and systems (e.g. Departmental membership, staff grade, etc.)

Ad Hoc Groups (official)

formed by a ‘responsible person’ based on official designation (e.g. membership of university committees, etc.)

Ad Hoc Groups (unofficial)

formed by an individual who needs to share information with a number of others who do not conform to an official categorisation (e.g. ad hoc working group, special interest group, etc.)

Three issues were seen as being important in maintenance of groups:-

• Moderation of group membership - do the people who run the servers have a role here?
• Notification of group members of their membership - should group owners be able to add people without their say so?
• Who should be able to see who is in what group (security/DPA issues)?

Groups can be used to control access to information but can also provide e-mail lists and other functions if managed in a directory service which can look up the other information as required.

Both Glasgow and York have implemented groups to model roles and have done so within an LDAP framework.

Pseudo-Anonymous Credentials

Groups provided in this way seem to have very great potential in inter-university collaborations, where confirmation of group membership is passed as a credential to the other institution (but not the details of who the person is). In this context, Ulster has been collaborating with the University of Athens and York is collaborating with Hull (see also the Shibboleth work referenced in the briefing paper)

Technical Matters

Technical matters concerning the design of an LDAP directory for access control were deferred until an additional ‘Birds of a Feather’ session held later.