Signet & Privilege Management 2004 Internet2 Spring Members meeting Minh Nguyen, Lynn McRae Stanford University 4/8/2019

What is the Signet project? Internet2 /MACE project NSF funded Part of AuthZ core middleware initiative A Privilege Management System and toolkit Related work: Recipe document derived from Stanford’s Authority Management experiences Case studies on related authority practices 4/8/2019

Recipe topics Concepts Ingredients for success External information dependencies, e.g., person data Business processes Lessons learned Other case studies 4/8/2019

What is the Signet product? Software to define an organization’s privilege system Software to manage the privilege information A web user interface for assigning and viewing privilege information A schema to record privilege information Components/APIs for integrating with other systems 4/8/2019

Signet and AuthZ An integrated source for administering privilege data Not an authorization service Integrates with authorization mechanisms 4/8/2019

Why Signet? System independent privilege management Central repository of privilege data Provides simplification of authority policy and management Helps with consistent application of rules across systems Supports role-based authority via groups 4/8/2019

Privileges building blocks Business view Subsystems Categories Functions Tasks System view Entitlements 4/8/2019

Subsystems Highest unit of organization, defines domains of ownership and responsibility One built-in subsystem to manage other authority subsystems Reflect real world organizational boundaries and areas of responsibility Can be large or small 4/8/2019

Categories Group privileges into topics within a subsystem Organize data logically for UI and reports Some control features, e.g., choose one vs choose many 4/8/2019

Function/Tasks/Entitlements 4/8/2019

Entitlement integration 4/8/2019

Assignment scope Places privileges in a hierarchical context Defines privilege umbrella Distributed delegation via a chain of authority “you can only give what you have” Independent of personnel hierarchy 4/8/2019

Assignment building blocks Limits Simple limits, e.g., spending limit Scoped limits -- applies to things “owned” by items in the hierarchy Having vs delegating authority 4/8/2019

Assignment building blocks Assigning privileges to groups Groups may represent roles Privileges that you have as an individual Privileges via group membership Prerequisites (auto-activation) Conditions (auto-revocation) 4/8/2019

Assignment example As soon as you are principal investigator role (group) and have completed training prerequisite you can approve purchases function in the School of Medicine scope for your projects up to $100,000 limits until January 1, 2006 condition 4/8/2019

Other features Designated drivers Notification Audit history Authority granting proxy Acting proxy Notification Audit history 4/8/2019

Signet architecture Platform neutral -- Java Component-based for maintainability and extensibility Web-based user interface for easy access Supports middleware standards, e.g. eduPerson Will support End-to-End diagnostics 4/8/2019

Signet components 4/8/2019

Signet technologies J2EE technologies RDBMS for persistent store XML JSP and Servlet JDBC JNDI No Entity EJB RDBMS for persistent store Database neutral--ANSI SQL access Object/relational mapping framework, e.g., Hibernate XML 4/8/2019

Project participants Development partners Early adopters “Open source” development model Design specification participants Code contributions, e.g., connectors Early adopters Variety of business needs Variety of technical environments 4/8/2019

For more information… The project web site: http://middleware.internet2.edu/signet/ Email list: signet@internet2.edu Advanced camp authority architecture workshop, June 30-July 2 4/8/2019