IETF Logo Mail Archive

Re: [scim] userids, usernames, and group names

Emmanuel Dreux <edreux@cloudiway.com> Mon, 03 September 2012 20:12 UTC

Return-Path: <edreux@cloudiway.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 207B521F84CD for <scim@ietfa.amsl.com>; Mon, 3 Sep 2012 13:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpOpkNJOCHNy for <scim@ietfa.amsl.com>; Mon, 3 Sep 2012 13:12:41 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe001.messaging.microsoft.com [213.199.154.204]) by ietfa.amsl.com (Postfix) with ESMTP id BFC3921F8551 for <scim@ietf.org>; Mon, 3 Sep 2012 13:12:40 -0700 (PDT)
Received: from mail47-am1-R.bigfish.com (10.3.201.229) by AM1EHSOBE009.bigfish.com (10.3.204.29) with Microsoft SMTP Server id 14.1.225.23; Mon, 3 Sep 2012 20:12:39 +0000
Received: from mail47-am1 (localhost [127.0.0.1]) by mail47-am1-R.bigfish.com (Postfix) with ESMTP id 1124644014B; Mon, 3 Sep 2012 20:12:39 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.248.213; KIP:(null); UIP:(null); IPV:NLI; H:AMXPRD0610HT004.eurprd06.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -24
X-BigFish: PS-24(zz98dI9371Ic89bh148cIc85dh4015Izz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1155h)
Received-SPF: pass (mail47-am1: domain of cloudiway.com designates 157.56.248.213 as permitted sender) client-ip=157.56.248.213; envelope-from=edreux@cloudiway.com; helo=AMXPRD0610HT004.eurprd06.prod.outlook.com ; .outlook.com ;
Received: from mail47-am1 (localhost.localdomain [127.0.0.1]) by mail47-am1 (MessageSwitch) id 1346703156919872_22053; Mon, 3 Sep 2012 20:12:36 +0000 (UTC)
Received: from AM1EHSMHS012.bigfish.com (unknown [10.3.201.226]) by mail47-am1.bigfish.com (Postfix) with ESMTP id D472320047; Mon, 3 Sep 2012 20:12:36 +0000 (UTC)
Received: from AMXPRD0610HT004.eurprd06.prod.outlook.com (157.56.248.213) by AM1EHSMHS012.bigfish.com (10.3.207.112) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 3 Sep 2012 20:12:36 +0000
Received: from AMXPRD0610MB353.eurprd06.prod.outlook.com ([169.254.2.58]) by AMXPRD0610HT004.eurprd06.prod.outlook.com ([10.255.58.39]) with mapi id 14.16.0190.008; Mon, 3 Sep 2012 20:12:35 +0000
From: Emmanuel Dreux <edreux@cloudiway.com>
To: Emmanuel Dreux <edreux@cloudiway.com>, Hasini Gunasinghe <hasini@wso2.com>, Dale Olds <olds@rbcon.com>
Thread-Topic: [scim] userids, usernames, and group names
Thread-Index: AQHNigZ2b5q6U7SDb0+XIqsJt3b0l5d5CTrQgAADWoA=
Date: Mon, 03 Sep 2012 20:12:34 +0000
Message-ID: <DF63ACC82673DB40A7AAC08FFA71DFBD2741B53E@AMXPRD0610MB353.eurprd06.prod.outlook.com>
References: <504133BE.4020704@rbcon.com> <CAOCmpSkwwRLR3_jk1bCxNMKQbeTsm_u3zRfdFTPKDTA75bjJcA@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [90.41.102.231]
Content-Type: multipart/alternative; boundary="_000_DF63ACC82673DB40A7AAC08FFA71DFBD2741B53EAMXPRD0610MB353_"
MIME-Version: 1.0
X-OriginatorOrg: cloudiway.com
Cc: "scim@ietf.org" <scim@ietf.org>
Subject: Re: [scim] userids, usernames, and group names
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scim>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2012 20:12:44 -0000

And less problematic, Group Description is missing as well.
That's a field that usually our customers are asking to synchronize.

--
Regards,
Emmanuel Dreux
http://www.cloudiway.com
Tel: +33 4 26 78 17 58
Mobile: +33 6 47 81 26 70
skype: Emmanuel.Dreux

De : Emmanuel Dreux
Envoyé : lundi 3 septembre 2012 22:08
À : 'Hasini Gunasinghe'; Dale Olds
Cc : scim@ietf.org
Objet : RE: [scim] userids, usernames, and group names

My understanding of Dale issue is the following:

I have a group in Google ( let's talk about Google if Active Directory does not ring bells):
DisplayName: Developpers
Group email address (= Id) : devs@company.com<mailto:devs@company.com>

How do you represent it in SCIM?
According to the spec here ( http://tools.ietf.org/html/draft-ietf-scim-core-schema-00#section-11.4), a "groupID" (or call it GroupUsername) is missing.

--
Regards,
Emmanuel Dreux
http://www.cloudiway.com
Tel: +33 4 26 78 17 58
Mobile: +33 6 47 81 26 70
skype: Emmanuel.Dreux

De : Hasini Gunasinghe [mailto:hasini@wso2.com]
Envoyé : lundi 3 septembre 2012 11:16
À : Dale Olds
Cc : scim@ietf.org<mailto:scim@ietf.org>
Objet : Re: [scim] userids, usernames, and group names

Hi Dale,
On Sat, Sep 1, 2012 at 3:29 AM, Dale Olds <olds@rbcon.com<mailto:olds@rbcon.com>> wrote:
In our scim implementation we assign the following meanings to these user attributes:

* id: unique, immutable, required, not intended to be typed by humans. The only identifier safe to store in external systems.

* userName: unique, mutable, required, though rarely changed in practice, not localized -- more like a keyword. It's what humans can use when they need to type in a reference to a user.

* displayName: not unique, mutable, optional, used as input to some display context but might not be literally displayed.

Access control for the id and userName fields is identical -- they are both essentially treated as identifiers, displayName is different. These meanings work for us. All 3 attributes are used for specific purposes, and I believe our use does not violate the current spec. BTW, thanks for changing userName to be mutable in 1.1.

We are now implementing groups.

IIRC, the only choice the spec gives for human readable group names is displayName, but we have tools (e.g. CLIs) that need to accept a reference to a group typed in by a user. We could use displayName for that purpose, but then we lose the displayName capability that we have for users.
I do not see a reason why you can not use displayName of groups here. IIUC, displayName for user and group are two separate attributes and you can use them independently.

I've checked for this issue in the list archives but did not see any discussion. Has the group discussed a naming attribute for groups that would be more like userName than displayName?
Another option would be externalId - which is defined in the common schema.

Thanks,
Hasini.

A related issue is compound attributes such as Users.groups and Groups.members. If Groups had groupName attribute similar to userName for users, it would be most useful if these attributes could have sub-attributes like this:

User:
{
  id: 111111
  userName: 'joe'
  groups: [{display: 'Hiking Tour Guides', name: 'guides', value: 22222}]
}

Group:
{
  id: 22222
  groupName: 'guides'
  members: [{display: 'Joey', name: 'joe', value: 11111}]
}

I suppose we could add this capability as an extension, but would like to see if others would find this useful as well.

--Dale

_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email