1. Roles Enterprise Authorizations @ MIT Rob Campanella Identity & Access Management MIT | IS&T | Systems Optimization & Integration Solutions W92-154 | 617-324-8143 | rcampane@mit.edu This entire presentation can be found here: https://wikis.mit.edu/confluence/display/IAM/Roles (Enterprise Authorization)

2. 2 Session Objectives  What is an authorization?  Enterprise Authorization  What is it?  Why should I use it?  How do I use it?  Q&A

3. 3 What is an authorization?  3 parts Who (person) What (function) Where (qualifier)  can be NULL  Examples Tom Brady is quarterback for the New England Patriots Rob Campanella can spend on profit center PC242800 Rob Campanella is Roles Administrator

4. 4 Person (The who)  Now  Kerberos Principal  Future possibilities  Touchstone Collaboration Account  Moira Group

5. 5 Function (The what)  Usually a task, but could also describe position/responsibility  Defined in understandable business terms  Grouped into ‘categories’  Paired with a specific qualifier type  Marty Walsh is Mayor of Boston (City qualifier type works)  Marty Walsh is Mayor of Massachusetts (State qualifier type does not work)

6. 6 Function cont. – Inheritance Can edit HR data Can view HR data Jeff can view HR data for Biology Eddie can edit HR data for Biology Eddie can view HR data for Biology

7. 7 Qualifier (The where)  Defines scope  Hierarchy based  (or NULL)

8. 8 Qualifier cont. – Inheritance ALL Departments School of Science BiologyChemistry School of Engineering Mechanical Engineering Auth here means only Biology Auth here means entire School of Science (Biology & Chemistry in this example)

9. 9 Additional authorization rules/fields  No negative authorizations  Effective & expiration dates  Can do vs Can grant

10. 10 Life without Enterprise Authorization  User enters auths into multiple systems  Each system may have different interface  Must understand inner workings of each system to create appropriate auths  Conflicts can be created  Same business auth may need to be entered in multiple systems  No complete picture of user’s authorizations System #1 System #2 System #3 System #4 System #N

11. 11 Life with Enterprise Authorization  Single interface for entering all auths  Only need to understand the business need, not the underlying system  Same auth can span multiple systems  Conflicts prevented  Can see complete picture of a user System #1 System #2 System #3 System #4 System #N ROLES

12. 12 Enterprise Authorization @ MIT = ROLES (rolesapp.mit.edu)  Centrally Managed Authorization System of Record  Distributed entry/maintenance Access should be granted by those closest to the resource Primary Authorizers  Conflict/SOD Identification/Prevention  Implied (rule based) authorizations  Audit trail  Reporting  API

13. 13 API Example (Currently SOAP) System #1 ROLES Can RCAMPANE view HR data for BIOLOGY? YES Can RCAMPANE view HR data for CHEMISTRY? NO

14. WSDLs  Dev: https://ws-dev.mit.edu/rolesws  Test: https://ws-test.mit.edu/rolesws  Prod: https://rolesws.mit.edu/rolesws Method: IsUserAuthorizedExt 14

15. SOAP Request RCAMPANE UADM UA_DECISION_RPT NULL DECI$ION B 15

16. SOAP Response false 16

17. Steps required to call Roles SOAP API  Request an app certhttps://wikis.mit.edu/confluence/display/devt ools/Home  Create “server” user in Roles  Associate app cert w/ server user in allowedLocations.properties file on Roles web server  Grant appropriate auths to server user 17

18. 18 Q&A  Questions now?  Questions later? roles@mit.edu  Project later? Involve us as early as possible