Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Topics in Privilege Management

Published byOpal Harriet Payne Modified over 5 years ago

Similar presentations

Presentation on theme: "Technical Topics in Privilege Management"— Presentation transcript:

1 Technical Topics in Privilege Management
Minh N. Nguyen Stanford University Advanced CAMP July 1, 2004 Copyright Minh N. Nguyen, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Enabling Systems to Use Signet
How will you use Signet for: Defining privileges Assigning privileges Managing the lifecycle of privileges Provisioning privileges What will you need to make Signet work? More data… Develop provisioning connectors 1/14/2019 2

3 What Signet Provides? Command line interface to load privileges
Web application to assign privileges Command line interface to bulk load assignments Assignment lifecycle processor Privileges XML document output for provisioning GUI to define privileges (later phase) 1/14/2019 3

4 Users of Signet Tool User Command line interface to load privileges
Analyst Web application to assign privileges End user Command line interface to bulk load assignments Assignment lifecycle processor System Privileges XML document output for provisioning System, Helpdesk GUI to define privileges 1/14/2019 4

5 Technologies Java based RDBMS for persistent store
JSP & Servlet JDBC JNDI RDBMS for persistent store Tomcat or any servlet engine XML output 1/14/2019 5

6 Defining and Loading Privileges
Defined using building blocks: subsystem, function, entitlement… Function The assignable widget Can be hierarchical (e.g. view, update) Entitlement Used in Privileges XML document 1/14/2019 6

7 Scope and Prerequisite
Via plug-in connector, e.g. from organization registry External data loaded locally, e.g. from HR system Prerequisite Via plug-in connector, e.g. from directory External data loaded locally, e.g. from LMS 1/14/2019 7

8 Loading Privileges Demo
1/14/2019 8

9 Identity Management for Signet
Finding the right person to assign privileges Linking people and identifiers Affiliation data for condition of assignment Local person and identifier tables in Signet 1/14/2019 9

10 Delegating Privileges
Chain of authority from person to person Bootstrap grantor Requirement that sysadmin not be the super grantor Designate high level officer (e.g. provost) Recorded as system-proxied assignment on behalf of high ranking person 1/14/2019 10

11 Assignment Considerations
What to do when 2 grantors have assigned the same privilege to the same person Allow Warn, but allow Don’t allow Auto-reinstatement of system revoked assignment How to easily grant privileges for a new hire Clone person’s privilege Granting template How to “adjust” privileges due to re-organization 1/14/2019 11

12 Assigning Proxy Acting proxy – designating someone to temporarily act on your behalf For how long? Granting proxy – someone who can grant privileges for you Proxy for all of your privileges May need to have capability to only designate subset of privileges Can have more than one proxy 1/14/2019 12

13 Assigning Privilege Demo
1/14/2019 13

14 Assignment Lifecycle Assignment condition changes:
Expiration date passes Affiliation changes Prerequisite satisfied Handled by lifecycle processor Privileges definition change New entitlement to existing function New prerequisite is added to existing entitlement 1/14/2019 14

15 Bulk Loading Assignments
Initial seeding of assignments Applies same rules as in UI for assigning privileges 1/14/2019 15

16 User Notifications Assignment created/modified/activated
Assignment pending for 7 and 30 days Assignment expires within 7 and 30 days 1/14/2019 16

17 Provisioning Privileges
Transaction history table in database Privileges represented in XML document Provisioning strategy: Asynchronous messaging Batch transfer eduPersonEntitlement attribute 1/14/2019 17

18 Provisioning Example Events DB 1) authority:privileges
2) Harvest event XML Document Service 3) Privileges XML Oracle Financials Harvester 4) Updates Oracle Oracle DB 1/14/2019 18

19 Provisioning Considerations
Periodic reconciliation between Signet and applications Agreement to not make local changes Local privileges not defined in Signet Access not based on assigned privilege in Signet Synchronizing scope tree between Signet and applications 1/14/2019 19

20 Access to PM System Who should have access?
Any authenticated body Only people who have assignments Only grantors Can anyone be assigned privileges? People in academic/administrative community Authentication mechanism External to Signet Authentication plugin (eventually…) 1/14/2019 20

21 Audit Discrepancy report between PM and target
Who has what privilege at some point in the past? Who granted the privilege? Need way to trace transaction in application back to the authorization in Signet Grantors want detailed reports on who has privileges scoped to their organization 1/14/2019 21

22 Monitoring & Diagnostic
URL to probe status of web application: Heap memory usage Connector availability (e.g. database, directory) Log diagnostic events for correlation 1/14/2019 22

23 Getting Ready for Signet
Deploy an identity management system Build an organization registry (scope source) Data source for Prerequisite Condition (affiliation) Identify a system which can be Signet-enabled (doesn’t have to be big) Introduce Signet concepts to your campus Join Signet working group 1/14/2019 23

Download ppt "Technical Topics in Privilege Management"

Similar presentations

CUMREC, 2004 Copyright: Ian Taylor, Rupert Berk, Heidi Berrysmith; 2004. This work is the intellectual property of the authors. Permission is granted for.

CUMREC, 2004 Copyright: Ian Taylor, Rupert Berk, Heidi Berrysmith; This work is the intellectual property of the authors. Permission is granted for.
CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.

CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.
NJIT Student Employment Management System (SEMS) EDUCAUSE 2005

NJIT Student Employment Management System (SEMS) EDUCAUSE 2005
What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.

What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Design & Development Scott Battaglia Application Developer Enterprise Systems and Services Rutgers, the State University of New Jersey

Design & Development Scott Battaglia Application Developer Enterprise Systems and Services Rutgers, the State University of New Jersey
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Fundamentals, Design, and Implementation, 9/e Chapter 14 JDBC, Java Server Pages, and MySQL.

Fundamentals, Design, and Implementation, 9/e Chapter 14 JDBC, Java Server Pages, and MySQL.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Procurement From the 20 th to the 21 st Century Copyright Byron Honoré 2007. This work is the intellectual property of the author. Permission is granted.

Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.
Copyright Anthony K. Holden, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
1 Flowing Through EDEN: Delivering Business Transactions Online to the University CUMREC 2004 Track 1: Web Development Monday 17 May 2004 9:30 am John.

1 Flowing Through EDEN: Delivering Business Transactions Online to the University CUMREC 2004 Track 1: Web Development Monday 17 May :30 am John.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.

Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Similar presentations

Ads by Google