Presentation is loading. Please wait.

Presentation is loading. Please wait.

Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago.

Published byCarol Roberts Modified over 9 years ago

Similar presentations

Presentation on theme: "Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago."— Presentation transcript:

1 Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago

2 CAMP Directory Workshop Feb 3-6, 2004 Copyright Tom Barton 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 CAMP Directory Workshop Feb 3-6, 2004 Outline  The granularization problem – use cases  Lightweight authorization model  Distributed groups management  Heavyweight authorization

4 CAMP Directory Workshop Feb 3-6, 2004 ¡ authorization != authentication !  When all you have is a hammer, …  If applications can only use your core infrastructure for authentication, –how can you issue credentials and offer selective services to new constituencies? –how can you administratively deny access to some but not all services? –how can you customize a service to the user?  Somehow you need to manage the information necessary to enable appropriate, selective access to services –(and actually use it to implement access controls & customization)

5 CAMP Directory Workshop Feb 3-6, 2004 UofC hammer  Present enterprise directory service supports –Authentication via LDAP, Kerberos, AD –PosixAccount (PAM-LDAP shell login) –White pages –Account claiming & self-management –Email routing & mailbox access  Does not facilitate granular access to services!

6 CAMP Directory Workshop Feb 3-6, 2004 Illustrative list of services  Computer labs  Remote library databases  Accounts on clinical systems  Network access (wireless, netreg, VPN, modems)  IFS home dirs, collaborative spaces  eReserves & LMS  Web apps  Messaging (distribution lists & authorization)  Alumni community services  Administrative systems & services …  List goes on and on …

7 CAMP Directory Workshop Feb 3-6, 2004 Network access  Wireless & wireline are available to all who can authenticate …  … except for those whose computers are hacked, or who’ve been bad  In addition –VPN access won’t be provided to some populations (being determined) –Charge for modem use being considered

8 CAMP Directory Workshop Feb 3-6, 2004 Computer labs  “Student Eligibility Matrix” maintained by an authoritative policy group –21 student statuses X 16 services –Some statuses are clear: enrolled-fulltime –Some are not: “pro forma” Students do not register for any credit courses. (May register for exams in absentia.) Only approved for doctoral students in Scholastic or Advanced Residence who are away from University for dissertation research for duration of quarter. Four consecutive quarters in status may be extended by special approval to two calendar years maximum. NOTES: Still used for Lab School students Pro Forma in the College w/credit courses (@10 per quarter), BSD and PSD students in PF uniformly take credit courses for "R" grades.

9 CAMP Directory Workshop Feb 3-6, 2004 Computer labs  Also need to admit non-student people to the computer labs, with several cases of inclusion & exclusion by nature of affiliation –As determined by various authorities –Computer lab staff need to maintain their own list of additional admits and denies, beyond policy  May need to administratively disable someone otherwise entitled if they’ve been bad

10 CAMP Directory Workshop Feb 3-6, 2004 Remote library databases  Various categories of policy –Faculty/staff/student, without too much regard for the precise definitions  no alums  no guests not in the campus address space  VPN access might cause an issue –faculty/staff/student in specified professional school or graduate division –Research but not clinical use (impossible!) –Interaction with turnstile passage into (some) library facilities

11 CAMP Directory Workshop Feb 3-6, 2004 Clinical systems  Many systems supporting clinical & research uses of PHI (Protected Health Information) –Primarily ~10 departments, ~100 labs –Each system has “small” usership  Intended, anyway –Mix of UC and UCH personnel across userships –Much account crud built up over years of ad hoc administration

12 CAMP Directory Workshop Feb 3-6, 2004 Clinical systems  Solution under consideration –Leverage coordinated UC U UCH identity management being developed –Identify authorities for each clinical and research group –Manage group memberships signifying privilege to access associated clinical systems –Associate groups to departmental hierarchy to aid auditing and enforcement –Implement automation to directly manage account life cycles on clinical systems

13 CAMP Directory Workshop Feb 3-6, 2004 Other prospective use cases  Other areas within UofC might buy in to common management of posix accounts & posix groups  Consideration of using new sympa for mail list management, which brings groups for distribution lists and for access control into discussion  New Blackboard license includes Xythos webDAV based file service, which offers the prospect of home directories/web sites for people and for groups and sharing among groups

14 CAMP Directory Workshop Feb 3-6, 2004 Abstracted access requirements, so far  Large constituencies or  broadly deployed technologies and  relationships with the organization (“affiliations”) are a principal determinant of access  but no single perspective is likely to be cognizant of all required affiliations.  Call these “lightweight” authorization requirements

15 CAMP Directory Workshop Feb 3-6, 2004 Administrative systems  Authorize by identity, not (just) by affiliation –Human judgment –Delegation of authority –Structure to authority (has limits & a declared scope) –Designation of limited privileges –Prerequisites –Limited userships  Call these “heavyweight” authorization requirements

16 CAMP Directory Workshop Feb 3-6, 2004 Lightweight authorization model  Three channels of information –Major affiliations  Source of authority: admin systems + business logic in metadirectory processing. –Minor or ad hoc affiliations  Source of authority: mix of central business logic and decentralized manual and automated sources. –Per user per service positive or negative exceptions  Source of authority: select administrative access. Eg, Info security officer

17 CAMP Directory Workshop Feb 3-6, 2004 Major affiliation  10-20 values in a conservatively managed vocabulary –Widely understood semantics –Relatively static semantics –Satisfies 80% of access control needs for broadly used services –Stake will go deeply into the ground  Value syntax: type:subtype –type in {faculty, staff, student, hospital, associate, guest} –Subtypes of some of these. Eg, faculty, faculty:visiting, faculty:expected, staff:casual, staff:expected, …  ucAffiliation LDAP attribute

18 CAMP Directory Workshop Feb 3-6, 2004 Minor affiliation  Maintained by distributed management of groups –Semantics are less widely understood or more dynamic –Satisfies 80% of needs for locally offered services  Group handles are reflected into isMemberOf LDAP attribute –No value syntax beyond whatever convention for handles will apply –Handle identifier characteristics should be … ?  We’ll use Grouper!

19 CAMP Directory Workshop Feb 3-6, 2004 Per user per service exceptions  Vocabulary –Needs to be known only by select authorities and applications administrators –Grows as needed –Syntax is constrained only by the need to clearly reference the service and convey positive or negative semantics  Web application mediates access to ucPriv LDAP attribute –Security managed within the person registry (Currently. Use groups later, of course!) –ucPriv values are reflected in person registry for diagnostic purposes

20 CAMP Directory Workshop Feb 3-6, 2004 Lightweight authorization examples  Wireless (!(ucPriv=no-wireless))  Labs (&(|(&(| (ucAffiliation=faculty) (ucAffiliation=staff) (ucAffiliation=student:enrolled) (isMemberOf=student:proForma) )(!(| (isMemberOf=student:owesUsTooMuchMoney) (isMemberOf=labAdmin:keepEmOut) )) (isMemberOf=labAdmin:letEmInAnyway) ) (! (ucPriv=no-labs) ))

21 CAMP Directory Workshop Feb 3-6, 2004 Group management issues  Coordinating many sources of information  Supporting several styles of access to group membership information  Provisioning groups in multiple locations  Aging of groups and of memberships  Use of subgroups vs. effective membership  Referring to set theoretic combinations of groups  Maintaining referential integrity  Meeting security, privacy, & visibility requirements  Grouper will deal with much of this

22 CAMP Directory Workshop Feb 3-6, 2004  Simplified Grouper graphic…

23 CAMP Directory Workshop Feb 3-6, 2004 Grouper roadmap  Planning for building specified components and capabilities to be incorporated into Grouper v1 is underway now –Development will occur in 3 phases  Basic management and export functions  Support for compound groups  Support for aging of groups and group memberships –Some elements & capabilities in the Group Tools Architecture will be contributed by I2 schools, others will not occur in Grouper v1 –An actual developer has joined the project!

24 CAMP Directory Workshop Feb 3-6, 2004 Grouper v1  In –Groups Registry, an RDBMS –Groups API supporting management and export of groups, but not extensive querying capability –One UI for manual groups management –Simple programs for batch loading and exporting of groups –Compound groups –Aging of groups and group memberships –Extensibility of group types and multiple membership fields will be capabilities of the data model in the Groups Registry not exposed in the public API

25 CAMP Directory Workshop Feb 3-6, 2004 Grouper v1  Contributed –LDAP & other provisioning connectors –Implementations of several abstracted interfaces within Grouper, such as member lookup and presentation  Out – maybe in a post v1 release –Stream Loader and associated Rules infrastructure –Change log based provisioning  Articulation with Stanford Authority System –House aggregates to which authority can be attached –Compound groups in support of role management

26 CAMP Directory Workshop Feb 3-6, 2004 Back to heavyweight authorization  A system such as Stanford’s Authority Manager seems well suited to the need  UofC has begun internal discussions towards eventual incorporation of an authority management system –Likely to be a long row to hoe, and uncertain of the outcome for administrative applications –Conceivable that an authority system would be used for at least some clinical systems  Stay tuned for further activity on the heavyweight authorization front…

Download ppt "Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago."

Similar presentations

Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.

Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Darrel S. Huish Katherine J. Ranes Arizona State University Lessons Learned During the First Year of myASU, a Large Institution Portal Copyright Darrel.

Darrel S. Huish Katherine J. Ranes Arizona State University Lessons Learned During the First Year of myASU, a Large Institution Portal Copyright Darrel.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google