Technical Topics in Privilege Management

Slides:



Advertisements
Similar presentations
CUMREC, 2004 Copyright: Ian Taylor, Rupert Berk, Heidi Berrysmith; This work is the intellectual property of the authors. Permission is granted for.
Advertisements

CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.
NJIT Student Employment Management System (SEMS) EDUCAUSE 2005
What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Design & Development Scott Battaglia Application Developer Enterprise Systems and Services Rutgers, the State University of New Jersey
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Fundamentals, Design, and Implementation, 9/e Chapter 14 JDBC, Java Server Pages, and MySQL.
Identity Management: The Legacy and Real Solutions Project Overview.
Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
1 Flowing Through EDEN: Delivering Business Transactions Online to the University CUMREC 2004 Track 1: Web Development Monday 17 May :30 am John.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Signet and Grouper for Distributed Attribute Administration
Copyright Michael White and Sandra Thompson, This work is the intellectual property of the author. Permission is granted for this material to be.
Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.
Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
Building Applications with the KNS. The History of the KNS KFS spent a large amount of development time up front, using the best talent from each of the.
Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008
Setting up Privilege Management with Signet Metadata.
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.
Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.
KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.
Accounting Events.
Moving Forward in Stages Tom Barton, University of Chicago.
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED INTERSTAGE BPM ARCHITECTURE BPMS.
University of Southern California Identity and Access Management (IAM)
Copyright Joel Rosenblatt 2010
Technology Strategy Update
myGettysburg When You Build It And They Don’t Use It Rebuild It
I2/NMI Update: Signet, Grouper, & GridShib
Filelocker: Simplifying Secure File Transfers
Overview of MDM Site Hub
Dialog in Payroll Accounting
Chapter 2: System Structures
Defining an IT Workflow, from Request to Support
Implementation Specialists Presents
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
Ed Barboni, Senior Advisor, Council of Independent Colleges
Moving Beyond Implementation: Authorization
Blaine A. Brownell, President,
University of Southern California Identity and Access Management (IAM)
Privilege Management: the Big Picture
Project for OnLine Instructional Support (POLIS)
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
Signet Privilege Management
An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.
Managing Enterprise Directories: Operational Issues
Signet & Privilege Management
Enabling Applications to Use Your IdMS
Signet Privilege Management
9/8/ :03 PM © 2006 Microsoft Corporation. All rights reserved.
Bad News Messages: How Much and How Often?
SDMX IT Tools SDMX Registry
Presentation transcript:

Technical Topics in Privilege Management Minh N. Nguyen Stanford University Advanced CAMP July 1, 2004 Copyright Minh N. Nguyen, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Enabling Systems to Use Signet How will you use Signet for: Defining privileges Assigning privileges Managing the lifecycle of privileges Provisioning privileges What will you need to make Signet work? More data… Develop provisioning connectors 1/14/2019 2

What Signet Provides? Command line interface to load privileges Web application to assign privileges Command line interface to bulk load assignments Assignment lifecycle processor Privileges XML document output for provisioning GUI to define privileges (later phase) 1/14/2019 3

Users of Signet Tool User Command line interface to load privileges Analyst Web application to assign privileges End user Command line interface to bulk load assignments Assignment lifecycle processor System Privileges XML document output for provisioning System, Helpdesk GUI to define privileges 1/14/2019 4

Technologies Java based RDBMS for persistent store JSP & Servlet JDBC JNDI RDBMS for persistent store Tomcat or any servlet engine XML output 1/14/2019 5

Defining and Loading Privileges Defined using building blocks: subsystem, function, entitlement… Function The assignable widget Can be hierarchical (e.g. view, update) Entitlement Used in Privileges XML document 1/14/2019 6

Scope and Prerequisite Via plug-in connector, e.g. from organization registry External data loaded locally, e.g. from HR system Prerequisite Via plug-in connector, e.g. from directory External data loaded locally, e.g. from LMS 1/14/2019 7

Loading Privileges Demo 1/14/2019 8

Identity Management for Signet Finding the right person to assign privileges Linking people and identifiers Affiliation data for condition of assignment Local person and identifier tables in Signet 1/14/2019 9

Delegating Privileges Chain of authority from person to person Bootstrap grantor Requirement that sysadmin not be the super grantor Designate high level officer (e.g. provost) Recorded as system-proxied assignment on behalf of high ranking person 1/14/2019 10

Assignment Considerations What to do when 2 grantors have assigned the same privilege to the same person Allow Warn, but allow Don’t allow Auto-reinstatement of system revoked assignment How to easily grant privileges for a new hire Clone person’s privilege Granting template How to “adjust” privileges due to re-organization 1/14/2019 11

Assigning Proxy Acting proxy – designating someone to temporarily act on your behalf For how long? Granting proxy – someone who can grant privileges for you Proxy for all of your privileges May need to have capability to only designate subset of privileges Can have more than one proxy 1/14/2019 12

Assigning Privilege Demo 1/14/2019 13

Assignment Lifecycle Assignment condition changes: Expiration date passes Affiliation changes Prerequisite satisfied Handled by lifecycle processor Privileges definition change New entitlement to existing function New prerequisite is added to existing entitlement 1/14/2019 14

Bulk Loading Assignments Initial seeding of assignments Applies same rules as in UI for assigning privileges 1/14/2019 15

User Notifications Assignment created/modified/activated Assignment pending for 7 and 30 days Assignment expires within 7 and 30 days 1/14/2019 16

Provisioning Privileges Transaction history table in database Privileges represented in XML document Provisioning strategy: Asynchronous messaging Batch transfer eduPersonEntitlement attribute 1/14/2019 17

Provisioning Example Events DB 1) authority:privileges 2) Harvest event XML Document Service 3) Privileges XML Oracle Financials Harvester 4) Updates Oracle Oracle DB 1/14/2019 18

Provisioning Considerations Periodic reconciliation between Signet and applications Agreement to not make local changes Local privileges not defined in Signet Access not based on assigned privilege in Signet Synchronizing scope tree between Signet and applications 1/14/2019 19

Access to PM System Who should have access? Any authenticated body Only people who have assignments Only grantors Can anyone be assigned privileges? People in academic/administrative community Authentication mechanism External to Signet Authentication plugin (eventually…) 1/14/2019 20

Audit Discrepancy report between PM and target Who has what privilege at some point in the past? Who granted the privilege? Need way to trace transaction in application back to the authorization in Signet Grantors want detailed reports on who has privileges scoped to their organization 1/14/2019 21

Monitoring & Diagnostic URL to probe status of web application: Heap memory usage Connector availability (e.g. database, directory) Log diagnostic events for correlation 1/14/2019 22

Getting Ready for Signet Deploy an identity management system Build an organization registry (scope source) Data source for Prerequisite Condition (affiliation) Identify a system which can be Signet-enabled (doesn’t have to be big) Introduce Signet concepts to your campus Join Signet working group 1/14/2019 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.