Open Stack

On 23/08/2012 19:59, Adam Young wrote:

CUT

>
> If two users have identical attributes, with the exception of their
> username and userId number, and only one of them should get access to
> MomAndPopsLaundry,  then the Admin at MomAndPopsLaundry  has to grant
> the permissions to that userid.

correct. Username and userID are simply attributes such as role and 
favouriteDrink. The only difference is that each uniquely identifies the 
user in the domain whereas the others do not. So they are identifiers. 
The Admin can select another differentiating attribute such as email 
address (which is also an identifier). It is unlikely that two users 
will have all their attributes identical.

>This works, but it doesn't scale.

If MomAndPop want to give different permissions to each individual user, 
then it is their model that does not scale. Its not the FIM model.
If MomAndPop want to select individual users from different IDPs then of 
course they will need to use attributes that are identifiers, otherwise 
they will select a group of users with each attribute. I am pretty sure 
that all IDP protocols can send a unique PID for each user with the 
attribute assertions, so there is always a way to uniquely identify each 
individual user.


> Instead, the user should be put into a grouping from the
> MomAndPopsLaundry's IdP that then provides the roles.

But this may not uniquely identify a single user

regards

David
>
> I'll take a look at the demos above and see if they meet my concerns.
>
>