
* Koren, Meshna (ELS-AMS) M.Koren@elsevier.com [2019-04-29 10:11]:
As an SP, we would like to keep access authorization and usage statistics use cases separate.
I think we all agree on this and just because the discussion moved fromone to the other doesn't mean anyone suggested differently.
The main reason for that is that all authorization attributes must be configured by our teams, in advance, in our systems
Well, not if SPs adopted the "common-lib-terms" entitlement value approach, at least optionally (i.e., checking that first and then falling back to whatever else they support) -- that's invariant and the same for everyone. What always needs to be configured is whether an institution is a (paying) customer, of course. We can't take that away from you as otherwise anyone could just self-assert to be a customer of yours. ;)
But for non-academic customers such as government or medical that's different, and even more so for the corporate world. The corporate world is moving onto SAML-based authentication fast. They are driven by different rules (and software limitations) and of course you may ask why should you care... but for us it would have been simpler if these same schemas and recommendations worked for them, too. It would have been useful to be able to point them and/or their software vendors to such documents rather than trying to explain to them how the (rest of the) world works.
If you have concrete suggestions or problem statements about the status quo we can certainly try to suggest or agree on something. The above doesn't really help me do that, yet.
But again - authorization and statistic are two different use cases.
Yup.
Best regards, -peter