Lessons Learned from AuthZ Project an Authorization Center

Slides:

Advertisements

Similar presentations

Parviz Dousti IT Consulting Engineer Computing Service Carnegie Mellon University Oct. 1 st 2012.

Advertisements

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

1 Collaborators at the Gates of Troy: Extending eServices at USC.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

Middleware & Enterprise Services at College Park David Henry Office of Information Technology November 16, 2001.

Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

CSC 2720 Building Web Applications Database and SQL.

System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.

SIMI: ISO Perspective Al ISO CSU Northridge

Maricopa Community Colleges Maricopa County is one of the fastest growing population areas in United States.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

XACML in real-world applications Doron Grinstein, CEO BiTKOO BiTKOO

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

ID Management in University ID Management in University Kenzi Watanabe Saga University, Japan

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Some aspects of Library Technology Infrastructure in the US and Japan Tim Deliyannides & Takeshi Kuboyama

The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,

MOODLE and Other Database Integration ผศ. ดร. เด่นพงษ์ สุดภักดี ผู้ช่วยอธิการบดีฝ่ายวิชาการ และ ผู้อำนวยการสำนักนวัตกรรมการเรียนการสอน มหาวิทยาลัยขอนแก่น.

Group Management at Brown James Cramton Brown University April 24, 2007.

1 st LDAP Conference 2007, Köln Germany 6-7 September 2007 Moving LDAP Writes to Web Services Kostas Kalevras National Technical University of Athens,

UNITED STATES. Understanding NDS for Directory- Enabled Solutions Ed Shropshire, NDS Developer Program Manager Novell, Inc.

The DSpace Course Module – User management and authentication options.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Identity Management in the Environment of Mendel University in Brno Milan Šorm.

Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.

E-Michigan Web Development 1. 2 What Is It? A web based collaboration tool that is internal to state government and accessible only from within the state.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Maps and their textual associations in a digital collection: a report from the Early Washington Maps project. Trevor Bond, Special Collections Librarian.

LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.

1 CS 430 Database Theory Winter 2005 Lecture 2: General Concepts.

FSU Metadirectory Project The Issue of Identity Management Executive Overview.

Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.

Portal Update Plan Ashok Adiga (512)

Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Information Management System “Institutions Module" Information Management System “Institutions Module" The System management module is an integrated part.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

MISLine Exposing Student Records Paul Walk January 2004.

Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.

LDAP related development at Carnegie Mellon ● OpenLDAP and SQL ● LDAP everywhere ● Cyrus SASL development.

MultiLIB TOUCH Sereysethy et SAY Moniphal. Internal Library of GIC Facility for the professors of the department Has its own and specific policy Managed.

Installing and Configuring Moodle. Download Download latest Windows Install package from Moodle.orgMoodle.org.

Administering Windows Server 2012 Question Answer.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Berkeley Lab Software Distribution Site NLIT Dan Pulsifer - Engineering May 11 th, 2008.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

Justin Scheitlin Daisey Fahringer

Managing User Desktops with Group Policy

Sakai ID & Access Management

JDBC Database Management Database connectivity

Punching data to the authentication server

Update on EDG Security (VOMS)

JOB SITE SOFTWARE | JOB RECRUITMENT SOFTWARE | JOB SEEKERS SOFTWARE:

Dartmouth College Status Report

Information Services and IT Support Information Services

للدخول لأول مرة وتحميل الأوفيس

Some data about the CBIC Federation

Central Authorization System (Grouper) June 2009

SCORM Runtime Integration

Managing Enterprise Directories: Operational Issues

Signet & Privilege Management

Creating a University IT Service Portfolio

ACTIVE DIRECTORY An Overview.. By Karan Oberoi.

UserCreator User management for schools

Presentation transcript:

Lessons Learned from AuthZ Project an Authorization Center Carnegie Mellon University Parviz Dousti

Driving Forces Alumni Email For Life Central Administration of Policies

Services Network Access Cluster Login Access Portal Access Netreg Dialup VPN Cluster Login Access Portal Access Library Access Software Download Email Access

Policies e.g: Softdist: accounts where owner's affiliation is in {Faculty, Special Faculty, Staff} + accounts where owner's affiliation is Student and owner's SIS category is "Enrolled“. Policy: accounts where owner's affiliation is in {Faculty, Special Faculty, Staff, Student} + accounts where owner's affiliation is Alum and owner's Student Class is "2004"

Conceptual Design

Priorities Easiest for Applications and Services Extensibility Using Standards

Why LDAP Standard and unambiguous protocol Already used by most apps. Existing Authentication/Authorization Env. Most policy attributes are already there

LDAP at CMU Openldap Trigger Server SQL(Oracle) backend

Trigs

SQL-back LDAP Uses ODBC to contact an RDBM Can add, modify, delete LDAP entries LDAP users don't know the difference … So we can use RDBM to help with data consistency.

First Design Using LDAP Group Membership as Authorization Service = Group Maintaining static aclGroups Using Oracle triggers Using XACML for policy

First Design

First Design Problems Notion of time not allowed in Policy Policy/Attributes mapping Oracle 9i and Java 1.4 Transactional Problem

Latest Design

Latest Design AuthZ queations: isAuthorized authorizedTo allAuthorized whenAuthorizedThen