A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

Slides:



Advertisements
Similar presentations
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Advertisements

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Environmental Terminology System and Services (ETSS) June 2007.
ASTRA Authorization Management at the University of Washington Rupert Berk Lead, Security Middleware CAMP, Denver, June 27, 2005.
Widely Distributed Access Management Tom Barton University of Chicago.
The Access Management Puzzle: Putting the Pieces Together Identity and Access Management at the UW Ian Taylor Manager of Security Middleware University.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
Signet and Grouper for Distributed Attribute Administration
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.
The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Group Management at Brown James Cramton Brown University April 24, 2007.
Access Management with Grouper Tom Barton University of Chicago.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Penn Groups PennGroups Central Authorization System June 2009.
Intro to Grouper There’s nothing fishy about Identity Management with Grouper.
KUALI IDENTITY MANAGEMENT Provides services for Identity and Access Management in Kuali Integrated Reference Implementations User Interfaces An “integration.
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
An Integrated Framework for Identity and Access Management (IAM) RL”Bob” Morgan, U Wash., MACE Keith Hazelton, U Wisc., MACE Internet2 Spring Member Meeting.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Linking Tasks, Data, and Architecture Doug Nebert AR-09-01A May 2010.
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
Windows Role-Based Access Control Longhorn Update
Internet2 Member Meeting, Arlington VA, April 2004 I2MI Authorization Agenda, RL "Bob" Morgan, University of Washington.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Middleware Futures Internet2 Member Meeting Arlington VA, April 2006 RL “Bob” Morgan, University of Washington and Internet2.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)
Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Organizing for Action Chapter 6 June 13, Learning Objectives LO 1 LO 1 Define the characteristics of organization structure: organic or mechanistic,
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
Computer Security: Principles and Practice
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
Authorization: Welcome to the Funhouse RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Object Management Group Information Management Metamodel
Sabri Kızanlık Ural Emekçi
I2/NMI Update: Signet, Grouper, & GridShib
Moving Beyond Implementation: Authorization
Chris Hyzer, University of Pennsylvania
Privilege Management: the Big Picture
Signet Privilege Management
Technical Topics in Privilege Management
Grouper: A Toolkit for Managing Groups
Managing Enterprise Directories: Operational Issues
PDI: Intro to Grouper Jeff Ruch Jeff Ruch ACNS Middleware
Signet & Privilege Management
The Attribute and the ecosystem
Signet Privilege Management
Presentation transcript:

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005

2Topics System models, information models Registry model Groups, Affiliations, Roles, Privileges

3 Institutional Info Space Each person’s online activities are shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads Other policy making bodies Self The challenge is coordination many applications, many models, many flows, many orgs middleware provides the coordination venue Our principal weaponry centralized registries distributed delegated management

4 SoA Flow

5 Management info flow

6 Registry model coordination point for key institutional data well-defined, well-identified objects standardized naming, attributes managed lifecycle, clear ownership institution-wide controlled access via UI accepts feeds from input systems of record often also SoR for some objects/attributes output feeds to apps, publishing points (LDAP) provisioning, connectors, real-time services, etc

7 Modeling of registry-managed information Relationships among basic constructs person, org, group, role, affiliation, privilege... Lives behind representations in many venues: user tables in myriad apps central registry / warehouse tables LDAP directory schema SAML attribute definitions XML document schema/DTD

8 A Party-based info model

9 Person-stuff management Identity / Affiliation person registry, eg... ? Group group registry, eg Grouper Privilege privilege registry, eg Signet Other registries: Organization Application Host... note overlapping areas...

10 Person-stuff venues Affiliation tightly person-linked, relatively few of them driven by core institutional processes Group wide range from “official” to “ad-hoc” lots of them, for many purposes Privilege driven by apps or functional areas narrower scope, richer content

11 Enterprise Affiliations (isn't “faculty” just a group? people ask...) top-level set of “connections” to institution relatively few: 5 min to 15 max may be affiliation qualifiers, eg student:undergrad many “members” of each affiliation already in use for many policies/authorizations likely to have useful lifecycle characteristics eg student: prospect, applicant, admitted, enrolled, former affiliations at lower levels? eg

12 Affiliation integration top-level understanding of “who users are” e.g., tabs in an institutional portal basic population units in other apps reflected as groups in group reg eg student:undergrad:enrolled

13Groups simple primitive with very wide applicability subject is member of named collection (membership types? starts to look like affiliation) official vs ad-hoc or is it process-driven vs manual or institutional vs personal names and namespaces many many contexts for group objects organizational, application, personal, platform need organization registry to make it work?

14 Groups and “appness” apps imply

15Roles? least well-defined concept (in I2MI at least) institutional business-level roles high-level org-chart driven, eg “dean”, “director” widespread lower-level functions, eg “hiring coord” tend to be starting point of analysis, not end-point role as defined in RBAC named element aggregating priv set, holders hence linkage point between group reg and priv reg

16Example “group” UI from a popular image manager:... defines roles, user membership in group is done via User UI... infra concepts have to be mapped to app functions

17Conclusion Registry model both system integration model, and information model among registry objects affiliations, groups, privileges are building blocks Many variations of these concepts in deployed systems infrastructure must clarify and support