<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1549997004702_36117"><span>Hi All</span></div><div id="yui_3_16_0_ym19_1_1549997004702_36179"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36357"><span id="yui_3_16_0_ym19_1_1549997004702_36356">We had a long discussion on this in January. I don't see any objections to this NWI so I would like the NCC to add this to the web page list of NWIs with the Problem Definition shown below. Can you arrange that Ed?</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36366"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36355"><span id="yui_3_16_0_ym19_1_1549997004702_36367">Then we can move onto more discussion about the Solution Definition.</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36354"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36353"><span>cheers</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36334"><span>denis</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36352"><span>co-chair DB-WG</span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1549997004702_36118"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1549997004702_36122" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1549997004702_36121"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1549997004702_36120"> <div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36119"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Cynthia Revström via db-wg <db-wg@ripe.net><br> <b><span style="font-weight: bold;">To:</span></b> Tore Anderson <tore@fud.no> <br><b><span style="font-weight: bold;">Cc:</span></b> "db-wg@ripe.net" <db-wg@ripe.net><br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, 12 February 2019, 14:10<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [db-wg] NWI-8 LIR´s SSO Authentication Groups<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1549997004702_36234"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1549997004702_36233">Personally I prefer an authentication scheme over a magic maintainer as <br clear="none">you might want to be able to have a PGP auth or MD5 auth too as backup <br clear="none">or for some IPAM software.<br clear="none"><br clear="none">I do however realize that this might be a bit harder as last time I <br clear="none">looked at the SSO parts of the WHOIS server source code, there was no <br clear="none">real integration with the real website in it other than the crowd cookie <br clear="none">check.<br clear="none"><br clear="none">So while you could implement the magic maintainer with something <br clear="none">external like a "task" that runs every night, a new auth scheme would <br clear="none">require integration between the main website and the WHOIS source code.<br clear="none"><br clear="none">Also something like a magic maintainer could be implemented quite <br clear="none">quickly I assume, where as a new auth scheme would take a lot longer (I <br clear="none">am assuming).<br clear="none"><br clear="none">But all things considered, I do still prefer a new auth scheme for the <br clear="none">reasons I mentioned above.<br clear="none"><br clear="none">Kind regards,<br clear="none">Cynthia Revström<br clear="none"><div class="yqt6699078335" id="yqtfd22286"><br clear="none">On 2019-02-12 13:59, Tore Anderson via db-wg wrote:<br clear="none">> Hi Denis, and thanks!<br clear="none">><br clear="none">> I agree in principle, wbut would like to add the following bullet point to<br clear="none">> the Solution Definition:<br clear="none">><br clear="none">> - There should be an automatic/implicit authentication group that contains<br clear="none">> all LIR user accounts with admin/regular entitlement level.<br clear="none">><br clear="none">> This is, after all, my primary motivation for making the request. The<br clear="none">> ability to create custom groups containing subsets of this «all» group is<br clear="none">> not important to me.<br clear="none">><br clear="none">> I'd also suggest to let the NCC know that the implementation could be<br clear="none">> staged if that is more convenient to them (i.e., implement database<br clear="none">> integration for the «all» group first, do the LIR Portal UI stuff for<br clear="none">> creating custom groups in a version 2.0).<br clear="none">><br clear="none">> I'd also like to avoid being too prescriptive about the exact nomenclature<br clear="none">> and implementation details (e.g., an authentication method called<br clear="none">> «SSO-LIR») as I'd prefer to give the NCC's engineers freedom to come up<br clear="none">> with what they consider the best solution.<br clear="none">><br clear="none">> [For example, imagine these groups could be referenced directly in<br clear="none">> mnt-by/ref/etc. attributes instead. Then many (most?) LIRs would no longer<br clear="none">> need to create any mntner objects at all, they could simply reference<br clear="none">> their implicit «all» group directly. This would seem like a more user-<br clear="none">> friendly and simple solution than require all LIRs to create a «glue»<br clear="none">> mntner object. I don't know if this is doable or even desirable from the<br clear="none">> NCC's point of view, but I would like them to have the freedom to consider<br clear="none">> such solutions too.]<br clear="none">><br clear="none">> FWIW, the LIR Portal page is titled «User Accounts». An user account can<br clear="none">> have one of three pre-defined entitlement levels:<br clear="none">><br clear="none">> Admin - «The Administrator will have full access to RIPE NCC services plus<br clear="none">> the right to manage other LIR contacts»<br clear="none">> Regular - «The Operator will have full access to RIPE NCC services»<br clear="none">> Billing - «The Billing user will have access to RIPE NCC billing<br clear="none">> information only»<br clear="none">><br clear="none">> Tore<br clear="none">><br clear="none">> * denis walker via db-wg<br clear="none">>> Hi Tore<br clear="none">>><br clear="none">>> Sorry for the delay. This was on my ToDo list but just hadn´t got to that point yet.<br clear="none">>><br clear="none">>> The DB-WG chairs agree this is suitable to be added to the list of Numbered Work Items as ¨NWI-8 LIR´s SSO Authentication Groups¨<br clear="none">>><br clear="none">>> I think the discussion we had in January, ending with Nick´s summary, could form the basis of the Problem Definition and the start of the Solution Definition.<br clear="none">>><br clear="none">>> Lets focus on the Problem Definition first. I have included a draft Solution Definition below just to remind people where the discussion in January lead to.<br clear="none">>><br clear="none">>> Do we agree on the Problem definition shown below?<br clear="none">>> Just to get the terminology correct, in the portal UI are people referred to as ´users´ or ´contacts´?<br clear="none">>><br clear="none">>> cheers<br clear="none">>> denis<br clear="none">>> co-chair DB-WG<br clear="none">>><br clear="none">>><br clear="none">>> Problem Definition<br clear="none">>><br clear="none">>> LIRs would like a mechanism to easily add/remove users to centralised SSO authentication groups for maintaining objects in the RIPE Database.<br clear="none">>><br clear="none">>><br clear="none">>> (Draft) Solution Definition<br clear="none">>><br clear="none">>> -Technical Users listed in an LIR´s portal account, who have an SSO authentication account, can be added to and removed from user defined SSO authentication groups.<br clear="none">>> -Each User can be a member of any number of named groups. (should there be a limit on number of groups?)<br clear="none">>> -The authentication groups can be configured using the portal UI.<br clear="none">>> -These groups can be referenced in MNTNER objects by a new authentication method ´SSO-LIR´.<br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br clear="none">>> *From:* Tore Anderson via db-wg <<a shape="rect" ymailto="mailto:db-wg@ripe.net" href="mailto:db-wg@ripe.net">db-wg@ripe.net</a>><br clear="none">>> *To:* Piotr Strzyzewski <<a shape="rect" ymailto="mailto:Piotr.Strzyzewski@polsl.pl" href="mailto:Piotr.Strzyzewski@polsl.pl">Piotr.Strzyzewski@polsl.pl</a>><br clear="none">>> *Cc:* <a shape="rect" ymailto="mailto:db-wg@ripe.net" href="mailto:db-wg@ripe.net">db-wg@ripe.net</a>; Aleksi Suhonen <<a shape="rect" ymailto="mailto:Aleksi.Suhonen@axu.tm" href="mailto:Aleksi.Suhonen@axu.tm">Aleksi.Suhonen@axu.tm</a>>; <a shape="rect" ymailto="mailto:db-wg-chairs@ripe.net" href="mailto:db-wg-chairs@ripe.net" id="yui_3_16_0_ym19_1_1549997004702_36287">db-wg-chairs@ripe.net</a><br clear="none">>> *Sent:* Monday, 11 February 2019, 8:49<br clear="none">>> *Subject:* Re: [db-wg] Idea: magic mntner for all LIR contacts<br clear="none">>><br clear="none">>> Chairs,<br clear="none">>><br clear="none">>> According to the process document linked to by Piotr, you are supposed to<br clear="none">>> respond to NWI requests with either «yes» or «no».<br clear="none">>><br clear="none">>> More than a month has elapsed since I requested the NWI and the last<br clear="none">>> message was posted to this thread. When should I expect your answer?<br clear="none">>><br clear="none">>> Tore<br clear="none">>><br clear="none">>> * Tore Anderson via db-wg<br clear="none">>><br clear="none">>>> * Piotr Strzyzewski via db-wg<br clear="none">>>><br clear="none">>>>> Look at this page<br clear="none">>>>> <a shape="rect" href="https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items" target="_blank">https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items</a><br clear="none">>>>> and start new NWI.<br clear="none">>>> Thanks for the pointer!<br clear="none">>>><br clear="none">>>> Chairs (cc-ed), could we have an NWI for this?<br clear="none">>>><br clear="none">>>> Rough problem statement for the kickstart phase follows:<br clear="none">>>><br clear="none">>>> There is currently no way to automatically sync the «auth: SSO <a shape="rect" ymailto="mailto:x@y" href="mailto:x@y">x@y</a> <mailto:<a shape="rect" ymailto="mailto:x@y" href="mailto:x@y">x@y</a>>»<br clear="none">>>> attributes for a maintainer object with the list of (non-billing) users<br clear="none">>>> associated with an LIR.<br clear="none">>>><br clear="none">>>> This leads to duplication of work (adding/removing newly hired/departed<br clear="none">>>> LIR administrators in two places).<br clear="none">>>><br clear="none">>>> Additionally, this increases the risk of unauthorised access, e.g., if an<br clear="none">>>> administrator has left an LIR but was only removed from the LIR portal,<br clear="none">>>> he might inappropriately retain access to manage database objects for the<br clear="none">>>> LIR in question.<br clear="none">>>><br clear="none">>>> It is therefore desirable to have a method to protect RIPE database<br clear="none">>>> objects so that they can be maintained by the list of (non-billing)<br clear="none">>>> user accounts currently associated with a specific LIR at any given<br clear="none">>>> time. That is, when a RIPE NCC Access account is removed from the LIR's<br clear="none">>>> user list, the database maintainer access should be automatically<br clear="none">>>> revoked for that account as well.<br clear="none">>>><br clear="none">>>> Tore<br clear="none">>>><br clear="none">>><br clear="none">>><br clear="none">>><br clear="none"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>