<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1549930379084_9605">Hi Tore</div><div id="yui_3_16_0_ym19_1_1549930379084_9606"><br id="yui_3_16_0_ym19_1_1549930379084_9607"></div><div id="yui_3_16_0_ym19_1_1549930379084_9608">Sorry for the delay. This was on my ToDo list but just hadn´t got to that point yet.</div><div id="yui_3_16_0_ym19_1_1549930379084_9609"><br id="yui_3_16_0_ym19_1_1549930379084_9610"></div><div id="yui_3_16_0_ym19_1_1549930379084_9611">The DB-WG chairs agree this is suitable to be added to the list of Numbered Work Items as ¨NWI-8 LIR´s SSO Authentication Groups¨</div><div id="yui_3_16_0_ym19_1_1549930379084_9612"><br id="yui_3_16_0_ym19_1_1549930379084_9613"></div><div id="yui_3_16_0_ym19_1_1549930379084_9614">I think the discussion we had in January, ending with Nick´s summary, could form the basis of the Problem Definition and the start of the Solution Definition.</div><div id="yui_3_16_0_ym19_1_1549930379084_9615"><br id="yui_3_16_0_ym19_1_1549930379084_9616"></div><div id="yui_3_16_0_ym19_1_1549930379084_9617">Lets focus on the Problem Definition first. I have included a draft Solution Definition below just to remind people where the discussion in January lead to. </div><div id="yui_3_16_0_ym19_1_1549930379084_9618"><br id="yui_3_16_0_ym19_1_1549930379084_9619"></div><div id="yui_3_16_0_ym19_1_1549930379084_9620">Do we agree on the Problem definition shown below?</div><div id="yui_3_16_0_ym19_1_1549930379084_9621">Just to get the terminology correct, in the portal UI are people referred to as ´users´ or ´contacts´?</div><div id="yui_3_16_0_ym19_1_1549930379084_9622"><br id="yui_3_16_0_ym19_1_1549930379084_9623"></div><div id="yui_3_16_0_ym19_1_1549930379084_9624">cheers</div><div id="yui_3_16_0_ym19_1_1549930379084_9625">denis</div><div id="yui_3_16_0_ym19_1_1549930379084_9626">co-chair DB-WG</div><div id="yui_3_16_0_ym19_1_1549930379084_9627"><br id="yui_3_16_0_ym19_1_1549930379084_9628"></div><div id="yui_3_16_0_ym19_1_1549930379084_9629"><br id="yui_3_16_0_ym19_1_1549930379084_9630"></div><div id="yui_3_16_0_ym19_1_1549930379084_9631">Problem Definition</div><div id="yui_3_16_0_ym19_1_1549930379084_9632"><br id="yui_3_16_0_ym19_1_1549930379084_9633"></div><div id="yui_3_16_0_ym19_1_1549930379084_9634">LIRs would like a mechanism to easily add/remove users to centralised SSO authentication groups for maintaining objects in the RIPE Database. </div><div id="yui_3_16_0_ym19_1_1549930379084_9635"><br id="yui_3_16_0_ym19_1_1549930379084_9636"></div><div id="yui_3_16_0_ym19_1_1549930379084_9637"><br id="yui_3_16_0_ym19_1_1549930379084_9638"></div><div id="yui_3_16_0_ym19_1_1549930379084_9639">(Draft) Solution Definition</div><div id="yui_3_16_0_ym19_1_1549930379084_9640"><br id="yui_3_16_0_ym19_1_1549930379084_9641"></div><div id="yui_3_16_0_ym19_1_1549930379084_9642">-Technical Users listed in an LIR´s portal account, who have an SSO authentication account, can be added to and removed from user defined SSO authentication groups.</div><div id="yui_3_16_0_ym19_1_1549930379084_9643">-Each User can be a member of any number of named groups. (should there be a limit on number of groups?)</div><div id="yui_3_16_0_ym19_1_1549930379084_9644">-The authentication groups can be configured using the portal UI.</div><div id="yui_3_16_0_ym19_1_1549930379084_9645">-These groups can be referenced in MNTNER objects by a new authentication method ´SSO-LIR´.</div><div id="yui_3_16_0_ym19_1_1549930379084_9646"><br id="yui_3_16_0_ym19_1_1549930379084_9647"></div><div id="yui_3_16_0_ym19_1_1549930379084_9411"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549930379084_9648"><br id="yui_3_16_0_ym19_1_1549930379084_9649"></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1549930379084_9412"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1549930379084_9422" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1549930379084_9421"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1549930379084_9420"> <div dir="ltr" id="yui_3_16_0_ym19_1_1549930379084_9419"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1549930379084_9418"> <hr size="1" id="yui_3_16_0_ym19_1_1549930379084_9417"> <b><span style="font-weight:bold;">From:</span></b> Tore Anderson via db-wg <db-wg@ripe.net><br> <b><span style="font-weight: bold;">To:</span></b> Piotr Strzyzewski <Piotr.Strzyzewski@polsl.pl> <br><b><span style="font-weight: bold;">Cc:</span></b> db-wg@ripe.net; Aleksi Suhonen <Aleksi.Suhonen@axu.tm>; db-wg-chairs@ripe.net<br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, 11 February 2019, 8:49<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [db-wg] Idea: magic mntner for all LIR contacts<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1549930379084_9423"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1549930379084_9424">Chairs,<br clear="none"><br clear="none">According to the process document linked to by Piotr, you are supposed to<br clear="none">respond to NWI requests with either «yes» or «no».<br clear="none"><br clear="none">More than a month has elapsed since I requested the NWI and the last<br clear="none">message was posted to this thread. When should I expect your answer?<br clear="none"><br clear="none">Tore<br clear="none"><br clear="none">* Tore Anderson via db-wg<div class="yqt7749444187" id="yqtfd94573"><br clear="none">> * Piotr Strzyzewski via db-wg<br clear="none">> <br clear="none">>> Look at this page<br clear="none">>> <a shape="rect" href="https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items" target="_blank">https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items</a><br clear="none">>> and start new NWI.<br clear="none">> <br clear="none">> Thanks for the pointer!<br clear="none">> <br clear="none">> Chairs (cc-ed), could we have an NWI for this?<br clear="none">> <br clear="none">> Rough problem statement for the kickstart phase follows:<br clear="none">> <br clear="none">> There is currently no way to automatically sync the «auth: SSO <a shape="rect" ymailto="mailto:x@y" href="mailto:x@y">x@y</a>»<br clear="none">> attributes for a maintainer object with the list of (non-billing) users<br clear="none">> associated with an LIR.<br clear="none">> <br clear="none">> This leads to duplication of work (adding/removing newly hired/departed<br clear="none">> LIR administrators in two places).<br clear="none">> <br clear="none">> Additionally, this increases the risk of unauthorised access, e.g., if an<br clear="none">> administrator has left an LIR but was only removed from the LIR portal,<br clear="none">> he might inappropriately retain access to manage database objects for the<br clear="none">> LIR in question.<br clear="none">> <br clear="none">> It is therefore desirable to have a method to protect RIPE database<br clear="none">> objects so that they can be maintained by the list of (non-billing)<br clear="none">> user accounts currently associated with a specific LIR at any given<br clear="none">> time. That is, when a RIPE NCC Access account is removed from the LIR's<br clear="none">> user list, the database maintainer access should be automatically<br clear="none">> revoked for that account as well.<br clear="none">> <br clear="none">> Tore<br clear="none">> <br clear="none"><br clear="none"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>