[RUS-WG] Do we need RUS::ListAssignedRoles?

[Gilbert Netzer]

Hi everybody,

I just have a short question about a part of the tracker artf5934
(https://forge.gridforum.org/sf/go/artf5934?nav=1) concerning the new
RUS::ListAssignedRoles operation:

Maybe I got confused here, but should not the user/client specify which
role she wants and then either provide the RUS server with some assertion
from a third party (e.g. an attribute certificate) or have the server check
with this party (some sort of pull mode) to get such an assertion? Is not
the whole point of roles that the same user/client (the same identity) can
at one instance be a normal user with restricted privileges and at another
instance be an administrator with much greater privileges.

In any case, the users identity should be established by the transport
layer during the authentication phase and not be given a input parameter.
The operation would have to check anyway that you are not trying to look at
 the roles of another user.

Another question concerning this is how you would manage some session state
 if the roles are not transported with the request. In this case the RUS
server would have to remember the user roles for some time or ask for an
assertion to get all the roles during each request, and how would you
choose the role in this case.

In the end I am also wondering if this role assignment would not be queried
using another service interface like the VOMS interface and should they not
already have such a operation (or is it an API call to extract it from the
credentials)?

Comments please!
I also added the text to the GridForge tracker so that we can keep track of
this thread.

Best Regards
Gilbert Netzer
PDC