Title: policy model subcom minutes 10-08-01 October 8 minutes. 7am - 9am pacific time. Attendees: Hal L Jason R Michiharu K Pierangela S Simon G Agenda: 1. Concept definitions. 2. Subject definition. 3. Groups and Roles. Action Items: 1. Create policy model subcommittee homepage [Michiharu] 2. Submit subject semantics proposals. 3. Submit group and role hierarchies proposals. Where to define? How to flatten? 4. Publish goals document. Brief transcript: 1. Concept definitions. There is enough agreement on the dictionary. It will not be further discussed outside of specific context. 2. Subject definition. [Pierangella] Subject is a generic expression on properties of the requestor. Subject is the requestor. Second subject could be specified to refer to whom authorization is granted. [Hal] Subject is a datatype that represents identity of the requestor. We need to have multiple subjects: requestor subject, receipient subject. [Simon] Subject is either identity of the requestor, a group, a role, or a generic expression on subject attributes. 3. Groups and Roles. [Pierangela] Group is a set of users. Group membership is a static property of a user. Role is a dynamic property of a user. User can activate and deactivate roles. Groups and roles work well in a centralized environment. How much definition is legidimate in a decentralized context? [Hal]. Assertion would express all roles you allowed to assume and it's up to the user to select a role. At the time of azn decision is made role has to be knwon. Role is a part of the request. [Pierangela] Do we need assumption-of-role policy? Ie how users are allowed to activate a role. Can multiple roles be activated? [Simon] Assumption-of-role policy could be specified as a separate policy. User should have an option to make azn query to assume a role. Then the role could be included in the request. [Pierangela, Hal, Simon] To make distinction between groups and roles clear, it was decided to call roles 'Dynamic Roles'. Roles that can be activated by the user are referred to 'Assumable' or 'Potential' Roles.Roles that are activated by the user are called 'Assumed' or 'Active' roles. [Michiharu] Concept of a role is dynamic. Active role is a role activated by the user. This is fine. Roles and other properties can be contained in user request, as well as group and locality and so on. [Hal] When do we flatten role membership? [Pierangela] Who defines role hierarchy? [Hal] Different pieces of hierarchy are known to diffirent parties. Simon Godik Crosslogix