Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Slides:



Advertisements
Similar presentations
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Advertisements

Evaluating a Mass Notification Service for Campus Wide Communication Lori Sundal Georgia Institute of Technology EDUCAUSE Southeast Regional Conference.
Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.
University of Notre Dame Office of Information Technologies March 26, Maintaining the Right Balance Using the Project Charter to Set IT Project Prioritization.
1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Lesson 17: Configuring Security Policies
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Method: systematically gather citations by KU faculty and approach those faculty for permission to deposit on their behalf articles published in journals.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Identity Management: The Legacy and Real Solutions Project Overview.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Providing and Managing Technology Training Providing & Managing Technology Training Susan McKibben The University of Akron.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
MIT ROLES DB Internet 2 Authority Architectures CAMP, June 2004.
Planning for Ecological Diversity in New Learning Environments: Interoperability Between Libraries and Course Management Systems Louis King, University.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
So You Want to Switch Course Management Systems? We Have! Come Find Out What We’ve Learned. Copyright University of Okahoma This work is the intellectual.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.
Collaborative Associate of Arts Degrees. Collaboration In thought a good idea Every one wants to be invited to the dance. Sharing sounds good. In deed.
Sharing Information and Controlling Content: Continuing Challenges for Higher Education Susanna Frederick Fischer Assistant Professor Columbus School of.
Beyond the Campus Gates: Bringing Alumni, Parents, and Prospects into the Campus Portal William P. Wilson Mark R. Albert John C. Duffy Gettysburg College.
Catalyst Portfolio Tool Copyright Tom Lewis, This work is the intellectual property.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.
Identity Management: The Legacy and Real Solutions MIIS Implementation.
Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization.
Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Copyright © 2003, The University of Texas at Austin. This work is the intellectual property of the author. Permission is granted for this material to be.
Getting Everyone "On Board" for a Major IT Project Presentation to CUMREC MAY 16, 2002 Warren Mills, CEO Copyright Advantiv, Inc This work is the.
The Unexpected Webification of FRS Financial Records System or Steve Machuga Gil Thornfeldt “A funny thing happened on the way to electronic forms” Copyright.
1 Presenters: Lucretia Parham Sara Connor Armstrong Atlantic State University October 30, :45 – 12:35 Copyright Sara Connor and Lucretia Parham,
©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham
Integration is Critical for Success Curriculum Course Delivery Ongoing Support Instructor & Learner.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Chief Information Officer Effectiveness in Higher Education Wayne Brown, Ph.D. Copyright Wayne Brown This work is the intellectual property of the.
Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Software sales at U Waterloo Successfully moved software sales online Handle purchases from university accounts Integrated with our Active Directory and.
University of Southern California Identity and Access Management (IAM)
Julian Hooker Assistant Managing Director Educause Southwest
Defining an IT Workflow, from Request to Support
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
University of Southern California Identity and Access Management (IAM)
Privilege Management: the Big Picture
Project for OnLine Instructional Support (POLIS)
myIS.neu.edu – presentation screen shots accompany:
Signet Privilege Management
An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.
Technical Topics in Privilege Management
Managing Enterprise Directories: Operational Issues
Signet Privilege Management
Presentation transcript:

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Permits and Cornell Panel Discussion Talking Points - Centralized Authorization Services at Cornell University Tom Parker And the Identity Management Team at Cornell University

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Got a Permit? Central Authorization at Cornell is generically handled by something called the Permit Server The Permit Server maps groups of NetIDs to “permits” A permit is just a string token, such as “cit.staff” or “cu.student” On the permit server, we might see something like this table:

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Got a Permit? PERMIT NAME LIST OF NETIDs cit.staff bbb1,..., cjm5,..., jtp5,..., rd29,..., zyz9 cu.employee aaa1,..., cjm5,..., jtp5,..., rd29,..., zzz999 cu.proxyanother list of netids

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. How are they Obtained? Through the hiring process (staff) Through the admissions process (students) Individuals wishing to restrict a specialized service may request ownership of a permit –They are given tools for managing it –They decide when to assign or revoke a permit for a particular user

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Group Authorization Users at Cornell are often put into “groups” –Students –Staff –Chess Club Members These groups can be big or small

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Group Authorization (cont) Some are maintained by central IT staff –Who are the students? –Who are the staff? Others are maintained at a departmental level –Who are the Human Ecology students? –Who can download certain licensed software?

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Back to the Permit Server The permit server allows us to create these groups It houses a simple key-value database where the “key” is the group identifier and the “value” is the list of Kerberos principals (NetIDs) associated with that group

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Used by Applications A service or resource may be restricted to users who hold specific permits Various applications (including CUWebAuth, our Apache module for doing web based authentication) know how to query the permit server and thus utilize the central authorization system Application administrators can choose to utilize centrally maintained permits, or they may opt to administer their own permit

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. With plenty of elbow grease Regardless of whether or not a permit is centrally or locally maintained, the permit is maintained manually Home grown provisioning scripts cause a basic set of permits to be issued when IDs are created Regularly scheduled “clean up” processes are in place to remove permits when a user’s association with the university changes (student graduates, student changes to employee, employee changes to student, or termination)

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. And tribal knowledge Aside from the centrally maintained permits, all permit “owners” are responsible for issuing permits to new members of a group and removing them when appropriate Currently there is no capability of automatically populating permits based on directory information

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Furthermore… Cornell has multiple datamarts and would like to make available roles and row level authorization information for use by reporting tools (Brio, for example) without having to store this information in each individual datamart An Authorization Directory is a logical repository for this information

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. And… Some staff at Cornell make a practice of sharing their NetID passwords because there are no mechanisms for designating proxies to act in their place This is a significant security risk and will soon be counter to University policy

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Also… It may be desirable to do negative authorizations. For example, an institution may want to offer a service to all active students within the United States due to export or other laws Identifying and excluding the smaller group (say, those in Transylvania) may be the way to do the authorization

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. And while we’re at it.. As the institution evolves its identity management infrastructure, but before it is prepared to implement privilege management systems, it may be desirable as an interim step to have templates for documenting business rules for authorization –This should keep us busy for awhile : ) Then when the institution is positioned to implement this piece of the infrastructure, the work of defining the business rules will have been largely completed

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors. Right now we are Considering two directories: –One for public white page information which includes user-modified attributes –A second, separate directory, for the purpose of Authorization and doing other interesting stuff Whether two directories is a solution, or a migration path, will likely be a lively debate We’re here looking for some good ideas..

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.