<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Denis,</p>
<p>I think the current main suggestion is to add a new DB auth
scheme, such as "auth: SSO-LIR no.foobar" that includes all the
SSO accounts linked to the LIR except for Billing accounts.</p>
<p>Kind regards,<br>
Cynthia Revström<br>
</p>
<div class="moz-cite-prefix">On 2019-01-07 11:20, denis walker via
db-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:639012240.22099228.1546856426081@mail.yahoo.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="color:#000; background-color:#fff;
font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px">
<div id="yui_3_16_0_ym19_1_1546578800374_98950"><span
id="yui_3_16_0_ym19_1_1546578800374_99270"> Hi Tore</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99065"><span><br>
</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99018"><span
id="yui_3_16_0_ym19_1_1546578800374_99019">Just to clarify a
point here. Are you suggesting that for all LIRs, all listed
LIR (non-billing) administrators should be able to manage
all the LIR's database objects that will all be maintained
by this one 'magic' MNTNER object as "mnt-by:",
"mnt-lower:", "mnt-routes"?<br>
</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99191"><span
id="yui_3_16_0_ym19_1_1546578800374_99019"><br>
</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99190"><span
id="yui_3_16_0_ym19_1_1546578800374_99019">If any of the
'all' in that statement don't apply then can we be clearer
on the use case for this MNTNER object?</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99189"><span
id="yui_3_16_0_ym19_1_1546578800374_99019"><br>
</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99188"><span
id="yui_3_16_0_ym19_1_1546578800374_99019">cheers</span></div>
<div id="yui_3_16_0_ym19_1_1546578800374_99187"><span
id="yui_3_16_0_ym19_1_1546578800374_99019">denis</span></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_99186"><span
id="yui_3_16_0_ym19_1_1546578800374_99019">co-chair DB-WG</span></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_99174"><span
id="yui_3_16_0_ym19_1_1546578800374_99019"></span></div>
<div class="qtdSeparateBR"
id="yui_3_16_0_ym19_1_1546578800374_98951"><br>
<br>
</div>
<div class="yahoo_quoted"
id="yui_3_16_0_ym19_1_1546578800374_98959" style="display:
block;">
<div style="font-family: Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif; font-size: 16px;"
id="yui_3_16_0_ym19_1_1546578800374_98958">
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, Sans-Serif; font-size:
16px;" id="yui_3_16_0_ym19_1_1546578800374_98957">
<div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_98956">
<font id="yui_3_16_0_ym19_1_1546578800374_98960"
size="2" face="Arial">
<hr id="yui_3_16_0_ym19_1_1546578800374_99341"
size="1"> <b><span style="font-weight:bold;">From:</span></b>
Tore Anderson via db-wg <a class="moz-txt-link-rfc2396E" href="mailto:db-wg@ripe.net"><db-wg@ripe.net></a><br>
<b><span style="font-weight: bold;">To:</span></b>
Piotr Strzyzewski <a class="moz-txt-link-rfc2396E" href="mailto:Piotr.Strzyzewski@polsl.pl"><Piotr.Strzyzewski@polsl.pl></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-abbreviated" href="mailto:db-wg-chairs@ripe.net">db-wg-chairs@ripe.net</a>; Aleksi Suhonen
<a class="moz-txt-link-rfc2396E" href="mailto:Aleksi.Suhonen@axu.tm"><Aleksi.Suhonen@axu.tm></a>; <a class="moz-txt-link-abbreviated" href="mailto:db-wg@ripe.net">db-wg@ripe.net</a><br>
<b><span style="font-weight: bold;">Sent:</span></b>
Monday, 7 January 2019, 10:25<br>
<b id="yui_3_16_0_ym19_1_1546578800374_99340"><span
style="font-weight: bold;"
id="yui_3_16_0_ym19_1_1546578800374_99339">Subject:</span></b>
Re: [db-wg] Idea: magic mntner for all LIR contacts<br>
</font> </div>
<div class="y_msg_container"
id="yui_3_16_0_ym19_1_1546578800374_98961"><br>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1546578800374_98978">* Piotr
Strzyzewski via db-wg<br clear="none">
<br clear="none">
> Look at this page<br clear="none">
> <a shape="rect"
href="https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items"
target="_blank"
id="yui_3_16_0_ym19_1_1546578800374_99249"
moz-do-not-send="true">https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items</a><br
clear="none">
> and start new NWI.<br clear="none">
<br clear="none">
Thanks for the pointer!<br clear="none">
<br clear="none">
Chairs (cc-ed), could we have an NWI for this?<br
clear="none">
<br clear="none">
Rough problem statement for the kickstart phase
follows:<br clear="none">
<br clear="none">
There is currently no way to automatically sync the
«auth: SSO <a shape="rect" ymailto="mailto:x@y"
href="mailto:x@y" moz-do-not-send="true">x@y</a>»<br
clear="none">
attributes for a maintainer object with the list of
(non-billing) users<br clear="none">
associated with an LIR.<br clear="none">
<br clear="none">
This leads to duplication of work (adding/removing
newly hired/departed<br clear="none">
LIR administrators in two places).<br clear="none">
<br clear="none">
Additionally, this increases the risk of unauthorised
access, e.g., if an<br clear="none">
administrator has left an LIR but was only removed
from the LIR portal,<br clear="none">
he might inappropriately retain access to manage
database objects for the<br clear="none">
LIR in question.<br clear="none">
<br clear="none">
It is therefore desirable to have a method to protect
RIPE database<br clear="none">
objects so that they can be maintained by the list of
(non-billing)<br clear="none">
user accounts currently associated with a specific LIR
at any given<br clear="none">
time. That is, when a RIPE NCC Access account is
removed from the LIR's<br clear="none">
user list, the database maintainer access should be
automatically<br clear="none">
revoked for that account as well.
<div class="yqt4533926379" id="yqtfd26892"><br
clear="none">
<br clear="none">
Tore<br clear="none">
<br clear="none">
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>