Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS The new Account Management Identity, Authentication,

Slides:



Advertisements
Similar presentations
PRODUCTVIEWS USERPROGRAMS with Colleen Alber Design & Implement a DKT Solution.
Advertisements

CERN, Information Technology Department
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Chapter 7 WORKING WITH GROUPS.
Microsoft Identity and Access Solutions Market Trends and Futures
Operating Systems & Infrastructure Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Search Updates Eduardo Alvarez November.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Web Content Management System Discussion.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
SWITCHaai Team Federated Identity Management.
Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.
Experiment Support CERN IT Department CH-1211 Geneva 23 Switzerland t DBES WLCG operations: communication channels Andrea Sciabà WLCG operations.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Portal User Group Meeting June 29, Agenda Introduction (Angela Taetz) Ulogin (Mario Mezzio) Database Breakup (Mario Mezzio) New Help Desk Forms.
CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department
CERN IT Department CH-1211 Genève 23 Switzerland t Service Management GLM 15 November 2010 Mats Moller IT-DI-SM.
ZOOM Training Solutions New Product Training: Servicing Excel BI NOW.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Make the most of Office 2010, Expression.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Cross Platform Browser Support Tim Bell 15.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Working with Windows 7 at CERN Michał Budzowski.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN IT-OIS Tim Bell, Eduardo Alvarez Fernandez, Andreas Wagner HEPiX Fall 2010 Workshop.
Interstate Compact Offender Tracking System End-User Training.
GatorLink Password Management Policy March 31, 2004.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Experiment Support CERN IT Department CH-1211 Geneva 23 Switzerland t DBES PhEDEx Monitoring Nicolò Magini CERN IT-ES-VOS For the PhEDEx.
CERN IT Department CH-1211 Geneva 23 Switzerland t Daniel Gomez Ruben Gaspar Ignacio Coterillo * Dawid Wojcik *CERN/CSIC funded by Spanish.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
1 © State of New South Wales through the NSW Department of Education and Training, This work may be freely reproduced and distributed for personal,
CERN IT Department CH-1211 Genève 23 Switzerland t Castor development status Alberto Pace LCG-LHCC Referees Meeting, May 5 th, 2008 DRAFT.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Tim Bell 24/09/2015 2Tim Bell - RDA.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Update on Windows 7 at CERN & Remote Desktop.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS First look at the Mobile Framework Ivan Deloose,
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
1 Pinnacle Telephone Billing System Upgrade Open Forum I February 27, 2009.
CERN - IT Department CH-1211 Genève 23 Switzerland t IT Dept Presentation [September 2009] - 1 User Support - Future Changes in Policy and.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Drupal at CERN Juraj Sucik Jarosław Polok.
1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.
CERN - IT Department CH-1211 Genève 23 Switzerland t Operating systems and Information Services OIS Proposed Drupal Service Definition IT-OIS.
GS CERN GS Department CH-1211 Genève 23 Switzerland CSC for Service Owners How to use the CERN Service Catalogue maintenance tool.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Tim Bell CERN IT/OIS 7 th September 2010 Service Management Meeting.
CERN - IT Department CH-1211 Genève 23 Switzerland CERN - IT Department CH-1211 Genève 23 Switzerland Request and Incident.
Computing Facilities CERN IT Department CH-1211 Geneva 23 Switzerland t CF SINDES Secure INformation DElivery System CERN IT/CF-ASI.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
CERN GS Department CH-1211 Genève 23 Switzerland cern.ch/gs-dep Internet Services GS AIS General Services Department GS Advanced Information Services EVM.
Lindsey Velez, Director of Instructional Technology Single Sign-On One Click.
Experiment Support CERN IT Department CH-1211 Geneva 23 Switzerland t DBES The Common Solutions Strategy of the Experiment Support group.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Web site lifecycles Problem is that web sites live forever –Out of date sites with.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
CERN - IT Department CH-1211 Genève 23 Switzerland t RITS Forum 29 October 2009 Nick Ziogas IT-UDS.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Discussing possibility of deleting archives.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
PSJA AUTOMATION WORKFLOW AND LESSONS LEARNED
An introduction to DSpace
Identity Management at the University of Florida
Simple Solution. Brighter Futures.
Presentation transcript:

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS The new Account Management Identity, Authentication, Authorization Policies ACCU March 9, 2010 IT-OIS

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Account Management What’s new ? On 22 November 2010, a new Account Management system was introduced –Replacing old CRA system –Introduced new policies and concepts Next objectives –Medium to long term: policies review –Procedures are being adapted, optimized and reviewed –Massive cleanup of data and rules being done –Consolidation of all the services involved

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS IAA Definition Answer the questionsAttributes Identity“Who are you?”Public assertion Authentication“Ok, how can you prove it?”Secret response Authorization“What can I do?”Token or ticket Access control Identity:  Human Identity: FOUNDATION (GS/AIS)  Computer Identity (accounts): FIM (IT/OIS) Authentication:  Active Directory, Kerberos, Single Sign-On, LDAP, SOAP (IT/OIS) Authorization:  E-Groups to maintain access control lists (GS/AIS)

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Primary account –Automatically created –Call Service Desk to enable Secondary account –Belongs to the user –Deleted when the user leaves CERN Service account –Assigned to the user –Can be reassigned –Reassigned to supervisor when user leaves CERN Account Model Account types

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS End-User Perspective What’s new ? Actions are either Automated or Self-Service based –The end-user connects to a Self-Service Web Portal User Arrival –The Primary account is automatically created –First activation through Service Desk –Follow course and sign OC5 security rules within 5 days maximum Account Management –Users can create and manage optional Secondary and Service accounts through the Web Portal –Ownership of Service accounts can be transferred to avoid orphan accounts Service Management –Service Management Web page presents to the user a global view of : the computing resources he owns, the list of services he has subscribed to and the available options for each of them User Departure –Service accounts are reassigned to the supervisor - if the user has not reassigned them proactively. –Account disabled 2 months after departure, deleted after 6 months

Operating Systems & Information Services User Experience Self Service tools

Operating Systems & Information Services User Experience Self Service tools

Operating Systems & Information Services User Experience Self Service tools

Operating Systems & Information Services User Experience Self Service tools

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Computing Groups were migrated to E-Groups –Specific Unix/AFS groups Group administrators decide how to manage their groups: –Static membership –Dynamic criteria –Both (nested groups) E-Groups Computing Groups

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Users changing Experiment was not easily covered by the old system Users can now be member of several computing groups –When working on several Experiments –No need to create many secondary accounts Tools now allow easily to change the primary Computing Group –Permanently, the old remains available anytime –Temporarily Multiple Computing Groups New Feature

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Users’ departure policy When a user’s contract ends + 2 months: –Primary and secondary accounts disabled –Same policy for everyone –Decreasing to 1 month will increase security Supervisor can ask for an extension to the Service Desk –Such a Blocking Exception should become a new HR feature / status (investigation in progress) Decrease exceptions –Understanding the need for exception will help to cover them with normal procedures.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS A few numbers to conclude Total: Accounts Since FIM started on 22 November: –876 Accounts activated Primary : 555 Secondary : 118 Service : 200 –Primary Accounts activated per month (new persons): November 2010 : 51 December 2010 : 112 January 2011 : 199 February 2011 : 162 March 2011 : 111

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Questions?