Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS The new Account Management Identity, Authentication,

Published byLilian Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS The new Account Management Identity, Authentication,"— Presentation transcript:

1 Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS The new Account Management Identity, Authentication, Authorization Policies ACCU March 9, 2010 IT-OIS

2 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Account Management What’s new ? On 22 November 2010, a new Account Management system was introduced –Replacing old CRA system –Introduced new policies and concepts Next objectives –Medium to long term: policies review –Procedures are being adapted, optimized and reviewed –Massive cleanup of data and rules being done –Consolidation of all the services involved

3 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS IAA Definition Answer the questionsAttributes Identity“Who are you?”Public assertion Authentication“Ok, how can you prove it?”Secret response Authorization“What can I do?”Token or ticket Access control Identity:  Human Identity: FOUNDATION (GS/AIS)  Computer Identity (accounts): FIM (IT/OIS) Authentication:  Active Directory, Kerberos, Single Sign-On, LDAP, SOAP (IT/OIS) Authorization:  E-Groups to maintain access control lists (GS/AIS)

4 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Primary account –Automatically created –Call Service Desk to enable Secondary account –Belongs to the user –Deleted when the user leaves CERN Service account –Assigned to the user –Can be reassigned –Reassigned to supervisor when user leaves CERN Account Model Account types

5 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS End-User Perspective What’s new ? Actions are either Automated or Self-Service based –The end-user connects to a Self-Service Web Portal User Arrival –The Primary account is automatically created –First activation through Service Desk –Follow course and sign OC5 security rules within 5 days maximum Account Management –Users can create and manage optional Secondary and Service accounts through the Web Portal –Ownership of Service accounts can be transferred to avoid orphan accounts Service Management –Service Management Web page presents to the user a global view of : the computing resources he owns, the list of services he has subscribed to and the available options for each of them User Departure –Service accounts are reassigned to the supervisor - if the user has not reassigned them proactively. –Account disabled 2 months after departure, deleted after 6 months

6 Operating Systems & Information Services User Experience Self Service tools

7 Operating Systems & Information Services User Experience Self Service tools

8 Operating Systems & Information Services User Experience Self Service tools

9 Operating Systems & Information Services User Experience Self Service tools

10 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Computing Groups were migrated to E-Groups –Specific Unix/AFS groups Group administrators decide how to manage their groups: –Static membership –Dynamic criteria –Both (nested groups) E-Groups Computing Groups

11 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Users changing Experiment was not easily covered by the old system Users can now be member of several computing groups –When working on several Experiments –No need to create many secondary accounts Tools now allow easily to change the primary Computing Group –Permanently, the old remains available anytime –Temporarily Multiple Computing Groups New Feature

12 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Users’ departure policy When a user’s contract ends + 2 months: –Primary and secondary accounts disabled –Same policy for everyone –Decreasing to 1 month will increase security Supervisor can ask for an extension to the Service Desk –Such a Blocking Exception should become a new HR feature / status (investigation in progress) Decrease exceptions –Understanding the need for exception will help to cover them with normal procedures.

13 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS A few numbers to conclude Total: 42264 Accounts Since FIM started on 22 November: –876 Accounts activated Primary : 555 Secondary : 118 Service : 200 –Primary Accounts activated per month (new persons): November 2010 : 51 December 2010 : 112 January 2011 : 199 February 2011 : 162 March 2011 : 111

14 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Questions?

Download ppt "Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS The new Account Management Identity, Authentication,"

Similar presentations

PRODUCTVIEWS USERPROGRAMS with Colleen Alber Design & Implement a DKT Solution.

PRODUCTVIEWS USERPROGRAMS with Colleen Alber Design & Implement a DKT Solution.
CERN, Information Technology Department

CERN, Information Technology Department
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.

Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
Operating Systems & Infrastructure Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Search Updates Eduardo Alvarez November.

Operating Systems & Infrastructure Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Search Updates Eduardo Alvarez November.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Web Content Management System Discussion.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Web Content Management System Discussion.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.

Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.
Experiment Support CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t DBES WLCG operations: communication channels Andrea Sciabà WLCG operations.

Experiment Support CERN IT Department CH-1211 Geneva 23 Switzerland t DBES WLCG operations: communication channels Andrea Sciabà WLCG operations.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.

Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.

Similar presentations

Ads by Google