KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.

Slides:

Advertisements

Similar presentations

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

Advertisements

Design Validation CSCI 5801: Software Engineering.

CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.

KS Authorization Weixia (Bonnie) Huang Feb 19, 2013.

6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Profiles and User Permissions Presented by: Josh Mostyn Presented by: Josh Mostyn.

UDDI v3.0 (Universal Description, Discovery and Integration)

Program Management Portal: Overview for the Client

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.

Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.

An Open Source Google Apps Integration (Bboogle) Patricia Goldweic, Sr. Software Engineer, Northwestern University.

KUALI ENTERPRISE WORKFLOW OVERVIEW Eric Westfall.

Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?

SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since years.

Kuali Rice at Indiana University Important Workflow Concepts Leveraged in Production Environments July 29-30, 2008 Eric Westfall.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.

1 Data Strategy Overview Keith Wilson Session 15.

Rapid Development of Workflow-enabled Forms using eDocLite

Implementing Kuali Identity Management at your Institution Kuali Days VIII San Antonio Texas Pre-conference Workshop Monday, November 16, a.m. -

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Introduction to Kuali Rice Presented at Internet2 April 2009 Eric Westfall – Kuali Rice Project Manager Bill Yock – Vice Chair, Kuali Rice Board of Directors.

Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.

B USINESS LAYER SAMANVITHA RAMAYANAM 4 th MARCH 2010 CPE 691.

Kuali Rice Technical Overview February Components of Rice  KEWKuali Enterprise Workflow  KNSKuali Nervous System  KRADKuali Rapid Application.

1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.

Kuali Enterprise Workflow Kuali Days – May 2008 Eric Westfall - Indiana University.

NAMS Account Activation Training. 2 What is NAMS? The NASA Account Management System is NASA’s centralized process for requesting and maintaining accounts.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

What is Architecture  Architecture is a subjective thing, a shared understanding of a system’s design by the expert developers on a project  In the.

Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.

Rice Status Update University of California July 20, 2009 Eric Westfall – Kuali Rice Project Manager.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

Identity Management Access control / access management

OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.

Kuali Enterprise Workflow Eric Westfall (Indiana University) Aaron Hamid (Cornell University)

INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.

PIV 1 Ketan Mehta May 5, 2005.

Kuali Enterprise Workflow Presented at ITANA October 2009 Eric Westfall – Kuali Rice Project Manager.

KUALI IDENTITY MANAGEMENT Provides services for Identity and Access Management in Kuali Integrated Reference Implementations User Interfaces An “integration.

Obtaining Help for Pharmacy Issues. Sign up for the Pharmacy ListServ Send a message to DO NOT add.

Obtaining Help for Pharmacy Issues and Submitting Enhancements 1.

Building Applications with the KNS. The History of the KNS KFS spent a large amount of development time up front, using the best talent from each of the.

1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.

Kuali Enterprise Workflow Kuali Days – November 2008 Scott Gibson, University of Maryland Bryan Hutchinson, Cornell University James Smith, University.

M ODELING B USINESS P ROCESSES IN K UALI E NTERPRISE W ORKFLOW Eric Westfall – Indiana University Claus Niesen – Iowa State University.

Kuali Enterprise Workflow Ryan Kirkendall (Indiana University) Brian McGough (Indiana University)

M ODELING B USINESS P ROCESSES IN K UALI E NTERPRISE W ORKFLOW Eric Westfall – Indiana University Claus Niesen – Iowa State University.

Kuali Identity Management Overview. Why did we write KIM? Common Interface for Kuali Applications Provide a Fully-Functional Product A Single API for:

Module 6 Securing Content. Module Overview Administering SharePoint Groups Implementing SharePoint Roles and Role Assignments Securing and Auditing SharePoint.

Kuali Rice A basic overview…. Kuali Rice Mission First and foremost to provide a consistent development framework and common middleware layer for Kuali.

A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.

INFO1408 Database Design Concepts Week 15: Introduction to Database Management Systems.

Module 7 Planning and Deploying Messaging Compliance.

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.

© 2006, The Trustees of Cornell University © 2006, The Trustees of Indiana University Kuali Nervous System Aaron Godert, Kuali Development Manager Brian.

Kuali Rice: General Overview Brian McGough Kuali Rice Project Manager Kuali Lead Architect Director, Enterprise Software, IU May 13, 2008.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

CTRP User Call November 13, 2013 Gene Kraus CTRP Program Director.

Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.

Eric Westfall KUALI ENTERPRISE WORKFLOW OVERVIEW.

What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

Using the Kentico CMS API Thom Robbins Bryan Soltis

1 A Look at the Application Authorized users can access Communicator! NXT from any Internet-capable computer via the Web.

Implementing Kuali Identity Management at Your Institution

Overview of MDM Site Hub

Presentation transcript:

KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions

What is (and isn’t) KIM?

3 What is KIM? New module in Kuali Rice version 1.0 Common Interface and Service Layer Integrated Reference Implementation Set of User Interfaces KIM is not just Identity Management, it’s also Access Management

4 What KIM is Not A Full-Fledged Identity Management System Provisioning Hooks to update other systems Duplication Management An Identity Aggregator An Authentication Implementation

Why Did We Create KIM?

6 Motivations Expansion of Kuali Common Identity Management API Consistent Authorization Implementation

7 What we did not want KF S KC KS IDM

8 What we did want KF S KC KS KI M

9 Design Considerations Existence of Other IdM Solutions Legacy/Existing Implementations Replaceable Services Separation of Concerns Service Bus Maintenance GUIs

KIM Terminology

11 KIM Terminology Namespace Entity Principal Principal ID Principal Name Person Entity Type

12 KIM Terminology Group Role Qualifier Permission / Permission Template Responsibility / Responsibility Template

13 Namespace Prevent Naming Conflicts Allow for Permissions to be Segmented Examples: KR-KNS KR-WRKFLW KFS-SYS KFS-AP KC-SYS

14 Entity Principal Principal ID Principal Name Entity Type Names Addresses Phone Numbers Addresses

15 Group Namespace Group Type Attributes

16 Role Namespace Role Type Qualifiers Role Type Services Delegations Primary Secondary

17 Permission / Permission Template Permission Template Permission Permission Details Permission Type Service Assigned to Roles

18 Responsibility / Responsibility Template Responsibility Template Review Resolve Exception Responsibility Responsibility Details Responsibility Type Service Assigned to Roles

KIM Services

20 Components Service Interface API KNS-Based Default Implementation Functional Maintenance User Interfaces

21 KIM Services Authentication Service Identity Service Group Service Role Service Permission Service Responsibility Service

22 Authentication Service Provides authentication at the web tier of an application Informs the application of the principal name that has authenticated Default implementation just uses the “remote user” on the HTTP request Only one service operation Get principal name

23 Identity Service Responsible for Principals and Entities Principals have a “name” which is intended to be the user name they use to authenticate All principals are associated with an entity There can be different types of entities, including Person and System Entities can have custom attributes and IDs attached to them

24 Identity Service Numerous pieces of data can be stored about an entity including: names, affiliations, external ids, employment information, address, phone, , privacy preferences (FERPA), etc. Example Service Operations: Get principal by id Get principal by principal name Get entity info by id Get entity info by principal id Get entity privacy preferences

25 Group Service All groups identified uniquely by id or namespace + name Supports nested groups Groups can also have custom attributes associated Example Service Operations: Get group by id Get group by name Get groups for principal Is member of group Get member group ids

26 Role Service Roles can have members that are principals, groups or even other roles All members assigned to a role will be granted any permissions or responsibilities that are associated with the role Role membership can optionally be qualified Example Service Operations: Get role by name Get role qualifiers for principal Get role members

27 Permission Service KIM has the concepts of Permission Templates and Permissions Permission Template represents some course-grained permission Use Screen, Initiate Document, Maintain Records, etc. A Permission is created from a template and has more specific information identified on it’s permission details for example “Initiate Document” of type “Transfer of Funds”

28 Permission Service Evaluation of permissions is handled by the permission service. KIM provides plug points for implementing custom logic for permission checking Example: permission checks based on hierarchical data Example Service Operations: Is principal authorized by permission name with details Is principal authorized by permission template name with details Get assignees for permission Get authorized permissions for principal Get ids of roles that have given permission

29 Responsibility Service Provides integration of KIM with workflow engine via Responsibility Actions These define what actions the principal needs to take (i.e. approve, acknowledge, fyi) on workflow processes Responsibility details identity when these actions are applied during the routing process Responsibility Actions also provide delegation support (for both routing and permission delegation) Example Service Operations: Get responsibilities by name Get responsibility actions Get responsibility actions by responsibility template Does principal have responsibility

30 More KIM Services Identity Management Service Role Management Service Person Service Identity Archive Service “Update” Services

31 KIM Service Architecture

32 Role Types Name Attributes Service Name

33 Role Type Services Role Behavior Matching of Attributes Validation of Attributes Handling of Contained Roles Application Roles

34 Questions? Web Site: Docs: