Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Slides:



Advertisements
Similar presentations
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Advertisements

HR SERVICE REQUEST SYSTEM Department Demonstrations February 2012.
LoboTime Agent Training Kit. Purpose of LoboTime Agent Training Kit: The purpose of this kit is to provide the LoboTime Agent with the tools and resources.
Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
Time Sheets Go On-Line Web Time Entry Cabinet Review July 19, 2006.
Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?
Map the current process
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
ConnectND NDUS HRMS Update ______________________________________________________________________
Workflow & Event Derivation Workshop
Introduction to SAP R/3.
ORGN Manager Responsibilities. Organization Codes in HR Organization (ORGN) codes used by Finance are also used by HR. Each employee is assigned to a.
Oracle Finance Overview for IT Advisory Group September 2004.
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Mandatory Annual ACE Training Fiscal Year 2011 – 2012.
ENTERPRISE DATA INTEGRATION APPLICATION ARCHITECTURE COMMITTEE OCTOBER 8, Year Strategic Initiatives.
OSIAM4HE Proposed org structure Authored by the strategy and organization team.
Manager and Employee Self Service Form I-9 Status Update and More… Systems Control November 13, 2013.
Mandatory Annual ACE Training Fiscal Year 2010 – 2011.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
1 GENI Operational Security GEC4 Stephen Schwab Miami, Florida.
Integration Broker at Cornell Kevin Leonard CIT/Integration and Delivery May 9, 2002.
IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.
Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
December 2001 Internet2 Virtual Briefing - 1 -Stanford University Authority Registry December 12, 2001 Stanford University Lynn McRae.
Training Role Module 8 – User Admin Ver. 10 Oct 2009.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Setting up Privilege Management with Signet Metadata.
1 The World Bank Internet Services Program Rajan Bhardvaj
NYCDOE Division of Instructional and Information Technology Oren Hamami Chief Information Security Officer New York City Department of Education.
@ 2008 Copyright NIC I Do not distribute without permission E-Services for Transforming to the Next Generation Government “A Case Study of India” Suchitra.
_name Kronos Confidential Kronos webTA Federal Time and Attendance System Sample Screens Shots “We specialize in delivering a flexible, integrated,
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Kuali Rice A basic overview…. Kuali Rice Mission First and foremost to provide a consistent development framework and common middleware layer for Kuali.
Windows Role-Based Access Control Longhorn Update
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
NEW LEAVE SYSTEM HUMAN RESOURCES DEPARTMENT OF. LEAVE SYSTEM Current system History Look and limitations New system Overview Benefits Project phases Description.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
HR Information System Upgrade ONLINE ENGAGEMENT & ONBOARDING.
Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.
HUMAN RESOURCE MODULE. Sub systems under HR module Human resource management is an essential factor of any successful business. The various subsystems.
Leon Tu Applications Technology Group Oracle Corporation
January Today’s Topics Project Roadmap Benefits of Early Document Collection What If We Don’t Have Time? Global Design Prep (pre-vendor) Global.
Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs ppt Keith Hazelton
HRMS Implementation Project HRMS Security Overview Module.
ImageNow -- An Overview --. What is ImageNow?  Loyola’s document imaging and workflow application  Primary application (web based and desktop) of the.
Building KFS using KNS Presented by James SmithJustin Beltran University of ArizonaUniversity of California, Irvine.
COLLABORATIVE COST CONTROL Research Administrators Network DOUG NELSON AND LAURA PUTZ UNRESTRICTED ACCOUNTING FEBRUARY 9, 2016.
The following statements are true about Role- based User Menu...
© Arbela Technologies Accounts Payable + Procurement & Sourcing Workflows.
FIRE1000S - Self-Paced FIREBIRD Training Training on the Federal Investigator Registry of Biomedical Informatics Research Data (FIREBIRD) for Clinical.
Payroll RFA – Submission Process Payroll Office May 2016.
UCL’s Information Strategy & implementation plans
Electronic Personnel Action Request
I2/NMI Update: Signet, Grouper, & GridShib
BSA 376 AID Lessons in Excellence-- bsa376aid.com.
Proposed Software Development Process
Privilege Management: the Big Picture
Signet Privilege Management
Technical Topics in Privilege Management
Grouper: A Toolkit for Managing Groups
Signet & Privilege Management
Human Resource Management (HR)
Creating a University IT Service Portfolio
Signet Privilege Management
Updates and Process Changes
Presentation transcript:

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04

UW-Madison ASAP (Access to Systems Authorization Process) Chose this project because it has manageable scope for discussion purposes Use pre-Version 1.0 Signet deliverables from Phases 1-3. See draft Signet Toolkit Roadmap: internet2-mace-signet-roadmap-00.html

ASAP (Access to Systems Authorization Process) Vision The current system for granting access to our enterprise systems (3270 transactions, ISIS, etc) is a laborious paper routing system. This system relies on one person (Karen L.) for routing of paper authorization forms to all data custodians and for all data custodians to "sign off" on all requests. The ASAP system would replace the paper routing system with a web based workflow engine.

ASAP (Access to Systems Authorization Process) See the draft Privilege Management Recipe at “PM separates the management of privileges from the interpretation or application of them.” “It does this through a central, shared repository of privilege information where privileges can be managed independent of any specific system or technology that needs it.”

ASAP workflow Grantor Custodian Employee Biz Func

ASAP workflow Grantor Custodian Employee Biz Func

ASAP workflow Grantor Custodian Employee Biz Func

ASAP workflow Grantor Custodian Employee Biz Func

ASAP workflow Grantor Custodian Employee Biz Func

ASAP workflow Grantor Custodian Employee Biz Func

ASAP A workflow process for granting access to applications appropriate to an employee’s business functions Workflow steps (happy path): –Grantor assigns business function to employee, but function has entitlements that requires approval by data custodian (a prerequisite) –Entitlements needed by employee to perform business function are approved by data custodian –Employee is granted appropriate access in all relevant systems

Business Function Per Privilege Management Recipe: –“Somewhere between a job which has many responsibilities, and a system permission to perform an operation such as updating a table in a database.” Example Business Functions in ASAP: –Departmental HR administration –Course Timetable administration –Financial Aid administration

Entitlement Per Privilege Management Recipe: –“The atomic units of authority control, representing specific operations...” Example Entitlements in ASAP for Departmental HR Administration: –Hiring –Reclass –Maintain leave information

Implementing ASAP Analysis task one: Define the suite of business functions and their entitlements –Make the implicit explicit: Departmental HR people do Staff Management. Oh, and Leave and Benefits admin. –Make the specific more general: Department level and College level HR staff business functions really differ only in scope of authority –Specify the entitlements needed to perform each business function –Specify limits and prerequisites on entitlements

Implementing ASAP: A Wrinkle Analysis task two: How to handle the two-step process of grant from above and approval by custodian One Signet-based approach: grant to custodians all the access entitlements within scope of their area of custodianship Now custodians can grant subsets of their privileges to employees Employees get all they need from union of privileges from original grantor and custodian

Implementing ASAP Development task one: Design and deploy a registry for the organizational hierarchy –For us, this would be based on the widely used UDDS codes (Unit, Division, Department and SubDepartment) Development task two: Deploy Signet and wire it to infrastructure including person and organizational registries

Implementing ASAP with Signet: Bootstrap Phase Implementation task one: Business analyst enters defined business functions and assigns initial bootstrap grantor Task two: Bootstrap grantor delegates privileges to other grantors including custodians (grant-only flavor when appropriate vs. grant and/or exercise)

Approaching ASAP via Signet Design so that grantor uses Signet to grant business functions to employees (but with the prerequisite of custodial approval) That would be designed to add items to the Signet assignment document(!) such as “Give Joanne the entitlements she needs to perform the job function of departmental HR administrator in the Molecular Biology Department”

Approaching ASAP via Signet The ASAP development team designs a component that regularly scans the Signet assignment document for entitlements that need data custodian approval And formats approval requests and puts them in the workflow queue. The data custodian grants the needed privileges After approval, the prerequisite is updated in Signet (via API!)

Approaching ASAP via Signet The employee’s privilege document now shows their new entitlements with prerequisites met Through provisioning, these entitlements flow to the applications and systems in question The employee has access to all the screens and data views they need Karen L. can go back to her fiends in the woodlands

Enhancing ASAP via Signet Auto-provisioning of application-level access controls based on privilege document Move to an event bus approach to route “privilege management events” to subscribing apps to approach near real time PM …

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.