Hello, I support this proposal in general. I have a few questions below. On 04/08/2015 11:07 AM, Tim Bruijnzeels wrote:
The RIPE NCC has discussed the concept of personalised authorisation on various occasions, most recently at the DB WG session at RIPE 69. Following discussions and input from the working group we would now like to propose the following additions to the RIPE Database:
= Extend the person object template with "auth:" as an optional, multiple attribute, with all current authentication methods. = Extend the mntner object "auth:" attribute with a new method that allows a reference to a person object that has at least one "auth:" attribute.
What happens if the all auth: attributes are later removed from a referenced person object? I foresee a potential security default.
Allowing "auth:" attributes on person objects also allows us to make it easier for users to manage their person object in the RIPE Database in combination with their Single Sign-On (SSO) account on RIPE NCC Access as a single identity.
I find this idea very convenient. However, I've noticed that some people or some companies prefer to maintain several separate person objects for a single person in different roles. I can't say I approve of this practise entirely, but I suppose we should still have a stated policy of how these cases should be handled. Examples: * one SSO account can be coupled with multiple person objects * a person with multiple person objects should create multiple SSO accounts, if they all need to be coupled Yours, -- Aleksi Suhonen () ascii ribbon campaign /\ support plain text e-mail -- Aleksi Suhonen () ascii ribbon campaign /\ support plain text e-mail