Presentation is loading. Please wait.

Presentation is loading. Please wait.

Provisioning of Services Authentication Requirements

Similar presentations


Presentation on theme: "Provisioning of Services Authentication Requirements"— Presentation transcript:

1 Provisioning of Services Authentication Requirements
David Henry Office of Information Technology University of Maryland

2 Provisioning of Accounts
For what services are "shell accounts" used? For what services are other provisioning methods used and what are they? Most provisioning is via “shell accounts” Some services are pre-provisioned Time and Attendance system for timesheet, automatically provisioned, based on presence in HRS Student registration system and personal information management, based on presence in SIS Some services are provisioned upon initial use Umail - presence in the directory means user can “activate” the account automatically upon first use, which establishes home directory, password file entry, etc. New system will require activation via web page prior to first use

3 Provisioning (cont.) How are enterprise accounts created/deleted?
Everyone gets an employeenumber Never changes Includes student applicants, visiting/adjunct faculty, volunteers, other affiliates Used as part of the DN in our directory Initially tied to SSN, but allows for SSN changes Eight digits plus check digit Everyone gets a Directory ID/ Unique ID Alphanumeric up to 8 characters Is assigned initially first initial, first 7 characters of last name (e.g. dhenry); digits used to make unique (e.g. jjohnso2) Vanity Ids are supported User may request a change up to once a year. When retired, ID won’t be reassigned for 12 months Some specific Ids are reserved forever

4 Provisioning (cont.) Entries are added Entries are deleted
Faculty/Staff: Upon entry in HR system, includes future appointments Students: Upon “acceptance with letter sent” Others: May be sponsored by any of a number of approved offices. Entries are deleted Faculty/Staff: 210 days after separation (an attribute is established to indicate a termination date for those apps that care) Students: After start of second semester of non-registration, treating summer as a semester. Others: Renewed annually by sponsor

5 Provisioning (cont.) How are other services provisioning mechanisms managed? Lots of ways Lots of admins How do you advise apps developers on which identifiers to use? Use the employeenumber as internal ID (if possible) Use the Directory ID for user auth’n Don’t use empno or SSN

6 Provisioning (cont.) How are the identifiers for an individual's multiple accounts managed? Currently, they’re not. In some cases, ID’s depend on the directory ID or another system. Passwords? Don’t ask.

7 Provisioning (cont.) System to manage IDs in cooperative Admins User
Centrally register their system/service Indicate characteristics of eligibility (LDAP filter?) Specify mechanism for notifications (new account request, userid change, account delete, etc.) User Goes to a central web page to see the systems and services they may request Activate systems/services System Notify registered systems/services of change events , URL (with Auth’n), Script

8 Authentication Practices
What levels of services require what initial types of identity proofing? UNIX shell accounts require in-person proofing w/student ID card Privileged accounts require f2f Access to certain information requires signed statement re: appropriate use What mechanisms are used for authentication? Native authentication mechanism Kerberos LDAP compare

9 Authn (cont.) What is the hope for intercampus standards?
There needs to be some hope. Shady Grove Campus Combination of system institutions All Faculty, Staff, and Students are from one of the other campuses. Courses from any campus apply. So far everything is handled by exception.

10 David Henry OIT University of Maryland
That’s IT David Henry OIT University of Maryland


Download ppt "Provisioning of Services Authentication Requirements"

Similar presentations


Ads by Google