Moving Forward in Stages Tom Barton, University of Chicago

Copyright Tom Barton, This work is the intellectual property of the author. Significant portions are the intellectual property of Lynn McRae. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Identity Management is Strategic - Proceed in Stages Stage 1 – Baseline identity integration –Integrate identities from Systems of Record –Common username & login credentials –At least one attribute for differential access Stage 2 – Enriching identity through groups –Users (departments, projects, individuals) define populations through membership in groups –Carried through central infrastructure to enhance services Stage 3 – Policy control by privilege management –Set/view privileges across systems –Adjust privileges to change in role and status –Decentralized control of centralized infrastructure

Baseline Identity Integration Objective application 1 authentication service attribute service application N From Siloed To Integrated application N application 1 authNattributes authNattributes

Identity & Access Management: Functional Vocabulary VerbObjects ReflectData of interest from systems of record into registry, directory JoinIdentity information across systems ManageCredentials, group memberships, affiliations, privileges, services, policies Provide IAM info via - relay thru run-time request/response - provisioning into App/Service stores Authenticate (AuthN)Claimed identities Authorize (AuthZ)Access or denial of access LogUsage for audit

Increasing Utility of Commercial Tools Recent increase in campuses choosing –Microsoft –Novell –Oracle –Sun NSF Middleware Initiative projects in this space –OM (Open Metadirectory – Umeå University) –Nexus (Provisioning – University of Memphis) But many campuses still choose to build

Process & Organizational Tools Systems analysis –What business processes might produce desired info? –Where does/can it enter the IT infrastructure? –Do actual semantics fit the perceived value? Policies & governance processes

Shib

Few Off-The-Shelf Tools for Stages 2-3 No commercial products, really A few campus-built distributed group or privilege management solutions –Not packaged for implementation elsewhere Ergo, the Grouper and Signet Projects –V1.0+ releases, open source

Self-Identified Groups Identity Management allow BIO_X allow BIO_X WIKI define BIO_X WIKI define BIO_X allow BioX allow BioX Lists define BioX Lists define BioX What about my team? …my project? …my senior staff? The Boss HR allow Bio-X allow Bio-X Calendar define Bio-X Calendar define Bio-X Affiliation: faculty Dept: Biology Identity Management

Identity Management Grouper biology:bio-x biology:bio-x:admin biology:bio-x:staff HR allow Bio-X allow Bio-X WIKI allow Bio-X allow Bio-X Lists Lists allow Bio-X allow Bio-X Calendar Reflect Groups Across Applications The Boss Affiliation: faculty Dept: Biology

Missing TAs Identity Management Affiliation: faculty Instructor: CS-313 The Professor What about my TAs? … my auditors? … extensions/makeup? HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

Enrich Course Membership Identity Management Affiliation: faculty Instructor: CS-313 The Professor Grouper Class:CS-313:TA isMemberOf: CS-313 U = HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

Course Ware Course Ware Extend Course Infrastructure Identity Management Affiliation: faculty The Professor Grouper class:CS-313:TA isMemberOf: CS-313 U = faculty: CS-313 SIS Courses SIS Courses HR Shib allow CS-313 allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

Guest IDs Guest IDs Non-Affiliated People Identity Management Affiliation: ??? Sib Rula Lenska “Friends are here from Europe!” faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board

Provide Entitlements Identity Management Affiliation: guest Sib Rula Lenska Grouper guestids:admin guestids:guests Signet printing(max100) blackboard(music103) athletic(gym,after5) effective date expiration date Guest IDs Guest IDs faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board

Finance Control of Authority A.Greenspan “Unless the situation is reversed, these …trends will cause serious economic disruptions” Identity Management who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions Manual approval workflow

Depts Distribute Control of Authority Identity Management Affiliation: staff A.Greenspan Grouper Signet school:dept1 (view,all) B.Bernake school:dept2 (approve,1472,$100) Accounts Scope while staff Finance who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions

Discussion and Further Information Identity Management Constituent Group 2:15-3:45pm today Room A124/127 Identity Management Roundtable 2:20-3:10pm Wednesday Room C151/152 CAMP Distributed Access Management November 7-9, Denver Colorado