Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.

Published byGary Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006."— Presentation transcript:

1

2 CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006

3 The Three Stages 1.Maximizing Identity Management 2.Enriching Identity through Groups 3.Better Policy Control through Privilege Management

4 The Three Stooges 1. Moe 2. Larry 3. Curly 2 1 3

5 The Three Stages 1.Maximizing Identity Management Integrate identities from Systems of Record Common username & login credentials Houses attributes for differential access 2.Enrich Identity through Groups Users (departments, projects, individuals) define populations through membership in groups Carried through infrastructure to enhance services 3.Policy Control by Privilege Management Set/view privileges across systems Adjust privileges to change in role and status Decentralized control of centralized infrastructure

6 Access Management Each person’s online activities are shaped by many Sources of Authority Institutional policy making bodies Resource managers Program/activity heads Individuals Self

7 Distributed Access Management Management of privileges should be distributed Hook up all of Sources of Authority to the middleware Common middleware infrastructure should be operated centrally Departments/programs/activities/applications should not have to build their own core middleware Resources should be shared through the infrastructure

8

9 Overall model Delegated model enables significant new audience Contributes to Identity Management information to be used by others Leverages Identity Management information, e.g., lifecycle control Becomes a part of the infrastructure

10 Three Stages A CAMP conceit Capabilities can evolve together … but likely in this order Each stage depends on strengths of stages before

11 Three Stages Identity Management is a necessary foundation Success requires equal parts Technical prowess Institutional management support Plus an architectural model And a roadmap on how to get there

12 IdM vocabulary VerbObjects ReflectData of interest from systems of record into registry, directory JoinIdentity information across systems ManageCredentials, group memberships, affiliations, privileges, services, policies Provide IAM info via - relay thru run-time request/response - provisioning into App/Service stores Authenticate (AuthN)Claimed identities Authorize (AuthZ)Access or denial of access LogUsage for audit

13 Stage 1 - Identity Management Insitutional policy is the main source that defines who people are, what they can do. Managed in central business systems Generally clear policy authorities Registrar for students HR/Personnel for employees Faculty Affairs/Senate for Faculty Comptroller/controller/bursar for finance IT for system administration, etc.

14

15 IdM - Governance Governance by Policy Makers Stewardship (custodianship) by IT These roles must be in full partnership to serve the entire community Business systems must focus on their needs while IT adds value to the larger community by providing access to this information by allowing others to augment this information by supporting ways to leverage this information

16 IdM - the data Solid identity matching Enterprise data definitions Consistent use of common data Rules of precedence for multiple sources … for multiple affiliations … for affiliation transitional issues Institutional roles …

17 IdM - Institutional Roles Faculty, Staff, Student And variations -- faculty emeriti, casual staff, non-degree seeking students As needed to support eligibility/privileges Authoritative definitions materialized Not source system data passed on for interpretation Source systems retain business logic for generating access management categories

18 IdM - Not just People! Identity Management should include other entities Organizations Accounts (network namespace) Space (buildings and rooms) Even Groups!

19 IdM - Delivering Information Role of the infrastructure and middleware Through publishing information in accessible technologies LDAP XML documents Web Services Warehouse Tools for provisioning

20 IdM - Integration Transaction principles A tomicity C onsistency I solation D urability

21 IdM - Integration Integration Principles R eplayable Re-integrate, on demand A uditable Able to verify accuracy, completeness I dempotent Multiple replays, in any order, lead to same result N ormative Rules for conflict resolution, for “what should be”

22 Stages 2 and 3 Enabling other sources of identity and privileges Addressing information gaps Transparent participation in the full benefits of Identity Management sources infrastructure

23

24 Stage 2 - Enriched by Groups Membership -- a simple, accessible concept Facility for school-, department-, project-, user-managed ad-hoc groups Each contributor is an Identity Maker Supplements/complements insitutional roles/groups Inclusion/exclusion Group math

25 Stage 2 - Enriched by Groups allow BIO_X allow BIO_X WIKI define BIO_X WIKI define BIO_X allow BioX allow BioX Email Lists define BioX Email Lists define BioX Identity Management Affiliation: faculty Dept: Biology What about my team? …my project? …my senior staff? The Boss HR allow Bio-X allow Bio-X Calendar define Bio-X Calendar define Bio-X

26 Stage 2 - Enriched by Groups Identity Management Affiliation: faculty Dept: Biology The Boss Grouper biology:bio-x biology:bio-x:admin biology:bio-x:staff HR allow Bio-X allow Bio-X WIKI allow Bio-X allow Bio-X Email Lists Email Lists allow Bio-X allow Bio-X Calendar

27 Stage 2 - Enriched by Groups Identity Management Affiliation: faculty Instructor: CS-313 The Professor What about my TAs? … my auditors? … extensions/makeup? HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

28 Stage 2 - Enriched by Groups Identity Management Affiliation: faculty Instructor: CS-313 The Professor Grouper Class:CS-313:TA isMemberOf: CS-313 U = HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

29 Groups benefits Delegated model of control Enables ad-hoc group contributions down to individuals (personal groups) Leveraged across technologies Membership criteria for access rights Calendar groups.htaccess references Email lists Can leverage other identity management information

30

31 Stage 3 - Privilege management Brings privilege information together in one place User access through a common UI Program access through an API toolkit Central granting applies across multiple systems Central reporting, history, auditing, review Accessible to managers AND holders of privileges Integrated with IdM for lifecycle controls

32 Reasons for Privilege Management Implementation of related access rules is scattered across systems different procedures, different contacts, managing changes across areas, over time Coordinating policy and privileges across systems is difficult Difficulty tracking privilege holders Ending privileges is not well managed

33 Privileges for Guest accounts Guest IDs Guest IDs Identity Management Affiliation: ??? Sib Rula Lenska “Friends are here from Europe!” faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board

34 Privileges for Guest accounts Identity Management Affiliation: guest Rula Lenska Grouper guest:staff guest:student Signet printing(max100) blackboard(music103) athletic(gym,after5) effective date expiration date Guest IDs Guest IDs faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board

35 Financial privileges Finance phone email ticket Identity Management Affiliation: staff who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions The Donald “You too can be a millionaire!”

36 Financial privileges Depts Identity Management Affiliation: staff The Donald Signet school:dept1 (view,all) school:dept2 (approve,1472,$100) Accounts Scope while staff Finance who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions

37 Privileges & Groups Identity Management Affiliation: staff Grouper school:dept school Signet school:dept1 (view,all) school:dept:unit scope school:dept2 (approve,1472,$100) while staff Finance who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions The Donald

38 Privilege management Distributed management, delegated model of control Enables schools, departments, projects, etc to define and manage privileges Separates language of privileges (what someone can do) from language of systems (how they get enabled) Provides transparency of control Isolates users from system changes

39 Back at 20,000 feet Delegated model enables significant new audience Enriching Identity Management leverages that data for significant benefits Leveraging IdM provides granularity and lifecycle control Groups and Privileges become commonplace in the infrastructure

40 Tools for stage 2 or 3 No commercial products, really A few campus-built distributed group or privilege management solutions Not packaged for implementation elsewhere Ergo, the Grouper and Signet Projects V1.0+ releases, open source

41 Challenges of stage 2 or 3 Integration Governance/ownership Support model, help desk, debugging

42

43 For more information http://grouper.internet2.edu http://signet.internet2.edu Open Source and evolving Contact information Email lists Product web sites and WIKIs

Download ppt "CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006."

Similar presentations

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
1 The Evolving Definition of Student: Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.

1 The Evolving Definition of "Student": Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.

Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
NERCOMP 2007 - Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.

NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration

Similar presentations

Ads by Google