December 2001 Internet2 Virtual Briefing - 1 -Stanford University Authority Registry December 12, 2001 Stanford University Lynn McRae.

Slides:



Advertisements
Similar presentations
Pennsylvania BANNER Users Group 2007 Structuring a reporting environment for success.
Advertisements

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
UNIVERSITY OF IOWA ELECTRONIC WORKFLOW Common Solutions Group | September 12, 2014 Steve Fleagle Associate VP & CIO.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
Active Directory: Final Solution to Enterprise System Integration
Oracle Beehive Vivek Pavle Orabyte LLC Orabyte.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
11.1 Lecture 11 CASE tools IMS Systems Design and Implementation.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Peter Deutsch Director, I&IT Systems July 12, 2005
Alliance for Strategic Technology (AST) SUNY Business Intelligence Initiative January 8, 2009.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
ECM Project Roles and Responsibilities
Student Information system
ASTRA Authorization Management at the University of Washington Rupert Berk Lead, Security Middleware CAMP, Denver, June 27, 2005.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Accounts Payables Invoice Automation for SharePoint.
Chapter 7 WORKING WITH GROUPS.
April 6, 2009 Ted Lesher - NexPrise, Inc..  Introduction/NexPrise Background  What is Software as a Service and how can it benefit my school?  Data.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Rutgers Integrated Administrative System RIAS Phase III – HRMS, Budgeting, and Enterprise Reporting Treasurer’s Luncheon December 2, 2008.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.
Appendix 2 Automated Tools for Systems Development © 2006 ITT Educational Services Inc. SE350 System Analysis for Software Engineers: Unit 2 Slide 1.
1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Mandatory Annual ACE Training Fiscal Year 2010 – 2011.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Chapter 7: WORKING WITH GROUPS
Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.
Overview of PeopleSoft PeopleSoft Training
Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
Operational Excellence in Effort Reporting Phase 3 Testing Information Meeting: June , 2012 Vision Statement: Implement a compliant, streamlined,
OEI’s Services Portfolio December 13, 2007 Draft / Working Concepts.
Financial Systems Needs Assessment Administrator Briefing Spring Quarter 2009.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Setting up Privilege Management with Signet Metadata.
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Copyright 2003 – Cedar Enterprise Solutions, Inc. All rights reserved. Business Process Redesign & Innovation University of Maryland, University College.
Windows Role-Based Access Control Longhorn Update
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Authority Implementation Stanford University Lynn McRae CSG Presentation September 18, 2002.
Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.
STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Introduction to Active Directory
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Create a system that reflects higher education best practices
Secure Connected Infrastructure
#44/A, 3RD FLOOR, GEETHANJALI APARTMENTS, OPP. BAHAR CAFE
Streamline your HR document management processes
I2/NMI Update: Signet, Grouper, & GridShib
Glendale Community College PeopleSoft Project Update
Privilege Management: the Big Picture
Signet Privilege Management
Signet & Privilege Management
Authority Implementation Stanford University
Signet Privilege Management
Presentation transcript:

December 2001 Internet2 Virtual Briefing - 1 -Stanford University Authority Registry December 12, 2001 Stanford University Lynn McRae

December 2001 Internet2 Virtual Briefing - 2 -Stanford University Organization’s Background Presenters role in organization –Technical Lead of 5 person development team for infrastructure/integration development –Project manager for interrelated Registry and Directory based projects –Focus on information integration via Enterprise Registries

December 2001 Internet2 Virtual Briefing - 3 -Stanford University Organization’s Background Computing Environment –Single campus, students, 8500 faculty/staff –600+ active subnets, registered nodes –Sun/Solaris servers; diversity of desktop platforms –Campus-wide authentication via Kerberos –Single campus-wide identifier namespace (SUNet Ids) –Enterprise db: Oracle (admin), Sybase (infrastructure) –Campus-wide file system (AFS) –Enterprise (POP and IMAP) –Enterprise directories for “whois” and infrastructure –Schizophrenic - administrative vs academic computing

December 2001 Internet2 Virtual Briefing - 4 -Stanford University Organization’s Background Key project or systems –Major administrative systems replacement. PeopleSoft student system, Fall 2001 PeopleSoft HR system, Winter 2002 Oracle Financials, Fall, 2002 –Authority Registry –Organization, Account, Course, Facilities Registry –Portal, Enterprise Calendar –Windows 2000 –New Faculty/Academic mission

December 2001 Internet2 Virtual Briefing - 5 -Stanford University Organization’s Background Key integration issues –Data integration Person (ongoing) Organization –Authority/security integration –Namespace, single-signon, other systems/users –UI integration for self-service applications

December 2001 Internet2 Virtual Briefing - 6 -Stanford University Authority Model: Objectives and Scope Simplification –Authority “at a glance” –Designed from the business, not system perspective Consistency –Single implementation of policy, common data & rules –Different applications and services using the same Authority information the same way Automated life-cycle management –Automatic activation/inactivation –Notification –Audit, history

December 2001 Internet2 Virtual Briefing - 7 -Stanford University Authority Model: Concepts and Components An Authority Registry -- a managed repository of authority assignments -- not an Authority System. Authority is defined first in business terms, without reference to any specific system or application. The Authority Registry separates user visible portions of authority management, expressed in business terms, from internal system components expressed in technical terms. Applications must read and translate authority information into local terms.

December 2001 Internet2 Virtual Briefing - 8 -Stanford University Authority Model: Concepts and Components

December 2001 Internet2 Virtual Briefing - 9 -Stanford University Authority Model: The Details… Functions –The basic unit of Business work. A person’s job will consist of one or more Functions. –Authority assignments are at the Function level. –Functions consist of one or more Tasks. Tasks –A discrete unit of work, typically a piece of what is needed to accomplish a function. –Represents a set of privileges that must be be set together. –Are reusable

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: The Details… Entitlements –Atomic unit of authority control. –An abstraction of system specific privileges, but not in any system’s specific language. –What applications read to set their internal security.

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: More Details… Scope –Something to which authority is bound, such as a department or budget. –Department definitions and hierarchy are critical –Distribution of authority management –“Smart parms” Conditions –Provides life-cycle management Bound to scope, e.g., while at Stanford; as long as in current department Or date based, e.g., from 12/01/01 until 12/31/01

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: More Details… Prerequisites –Like conditions, but comes before authority can be enabled Limits –Constraints to the use of authority, e.g., dollar limits –Special built-in limits: read-only, self-only, not-self Delegation

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: More Details… Example: –As soon as you take the training (pre-requisite) –you can manage financial aid (function) –for undergraduates (limit, smart parm) –in the School of Engineering (scope) –as long as you are in the Dean’s office (condition)

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: The Details… Implementation –Web-based UI for Authority assignment and lookup –Integrated with Stanford.You (self-serve app) so individuals can see their authority –Integrated with Organization manager app so departments can review all authority at their level

December 2001 Internet2 Virtual Briefing Stanford University Authority Manager

December 2001 Internet2 Virtual Briefing Stanford University Authority Manager

December 2001 Internet2 Virtual Briefing Stanford University Authority Manager

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: Integration… Integration with other systems –The combination of authority, context, limits, etc. is a net set of “privileges’ – XML Privileges document –Applications access Document Server via https –Some privileges reflected as privgroup attribute in directory entry for individuals –Other directory representations planned, but not soon

December 2001 Internet2 Virtual Briefing Stanford University Authority Model: XML document <principal roid=“person/64ec5fa6e7701d1830c246000baa77” sunetid=“jdoe” univid=“ ”>Doe, Jane <privilege entitlement=“student_admissions:manage_applicant” <scope roid=“organization/000cf6f0003ede39a22108ab400b0baa77” systemid=“gsb” orgid=“UAAA”>Graduate School of Business ASLO

December 2001 Internet2 Virtual Briefing Stanford University Authority Model – Roles? Despite other successes, “Roles” themselves have yet to be implemented –Design is for Organizational roles –New HR system possibilities for institutional roles; debate over how many, how broadly applicable, whether tied to jobs or billets, etc. –Wide diversity in what constitutes a given role; schools vs big departments vs small departments –Fear factor

December 2001 Internet2 Virtual Briefing Stanford University Authority Model – Roles? Possibilities –De facto roles: “granting” power for heads of organizations, instructors, Principal Investigators –System roles: system owner, central office –Local, Departmental roles –Acting “in role” not planned (not supported across applications) –Nesting of roles?

December 2001 Internet2 Virtual Briefing Stanford University Authority Model – Roles? Do we need roles? –Functions offer a level of roll-up that have been called “mini roles” –Partly because of business simplification –Student authority: Administer Financial Aid Manage Admissions Manage Student Records Manage Student Financials Manage Student Records

December 2001 Internet2 Virtual Briefing Stanford University Authority Model – Roles? –Human Resources authority: HR, Benefits –Allocate Labor Costs –Manage HR Records –Manage HR Positions –Manage Faculty Status Payroll –Manage Payroll –Process Payroll Manage Leave Information Manage Timesheet Information

December 2001 Internet2 Virtual Briefing Stanford University Authority Model – Roles? Do we need roles? (cont) –Features that de-emphasize roles, e.g., copying or transferring authority –Workgroups offer “poor man’s roles” –Plan to offer user/department defined roles In the context of the Organization Manager Life-cycle management parallels authority Allows re-use of roles outside of authority, e.g., authorize Board of Trustees, send to Board of Trustees, print list of Board of Trustees in the directory

December 2001 Internet2 Virtual Briefing Stanford University Authority Model – Greatest Challenges Business -- Cultural shift to new paradigm Allocation of sufficient and/or proper resources in project plans Aggressive application deployment schedules focused on core function, not integration Sense of partnership beyond design phase (both ways) Higher investment costs for participation in lieu of local solutions Shared entitlements Technically -- Integration with vendor/packaged systems New technologies, still fragile Vendor integration support limited, proprietary or not applicable Package security cannot necessarily support expressed authority