Cornell University Cornell Information Technologies Identity Management

Permit Server Feature Change

On Thursday, January 12, 2006 at 5:00 AM, the Permit Server was changed with respect to how it internally handles the deletion of permit assignments. A permit assignment which receives a deletePermit command is now deleted regardless of its reference count.

This is an internal change for some users who use and support software which manipulates permits, and will not affect other Permit Server users. For those interested in the details of the change, more information is below.

Details

In 1995, the Permit Server was designed with a feature called reference counts. A NetID could be assigned the same permit more than once, and the Permit Server would keep track of the total number of those assignments. If a permit assignment received a "delete command", the permit assignment was not necessarily removed. Its reference count was decremented by 1, and the permit assignment would only be removed if the resulting reference count was 0.

For example, if the NetID yyz5 had been assigned the permit YouReallyGotMe 5 times, it would have a reference count of 5. If a permit admin tried to delete the YouReallyGotMe permit assignment for yyz5, the resulting reference count would then be 4. That means if the Permit Server got a query asking "Is yyz5 assigned the permit named YouReallyGotMe?", the Permit Server would still respond "Yes".

It would take 4 more of these "deletes" to get this reference count to 0. Then if the Permit Server got a query asking "Is yyz5 assigned the permit named YouReallyGotMe?", the Permit Server would respond "No".

This was considered an advanced authorization feature allowing multiple departments to assign and update the same permit. Below is a section of the original Permit Server documentation which explains.

The [reference count] is needed to allow different departments to update the same permit.

For example, many people in the Cornell community are allowed to download eudora and use the POP mail service. A user might be authorized to use mail by the registrar's office based on the fact that they are a student, and they may be authorized by the human resources based on the fact that they are an employee. This should result in [a reference count of] 2.

If the user graduates and remains an employee, the registrar's office will delete their permit, but the [reference] count will only go down by 1, so they are still authorized based on the fact they are an employee.

Likewise, if the user remains a student but leaves employment, the human resources office would delete their permit, but they should retain access to mail based on the fact that they are a student.

The reference count feature was never used by departments. It has caused some confusion when deleting permits and sometimes creates extra "hand work". For those reasons, the reference count feature in the Permit Server has been modified. Permits can now be easily deleted, regardless of their reference counts.

Permit Management

• Request a Root Permit
• Permit Administration

Developer Information

CUWebAuth knows how to use Permit Server for central authorization, and configuration information is provided in the documentation.

If you have a service which needs to access Permit Server directly, the recommended method is to use the Cit.WsAuthorization web service. To request access to this web service, send e-mail to aadssupport@cornell.edu.

If you need to access Permit Server directly via CUSSP, send e-mail to aadssupport@cornell.edu.

---