Presentation is loading. Please wait.

Presentation is loading. Please wait.

KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.

Published byJonas Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions."— Presentation transcript:

1 KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions

2 What is (and isn’t) KIM?

3 3 What is KIM? New module in Kuali Rice version 1.0 Common Interface and Service Layer Integrated Reference Implementation Set of User Interfaces KIM is not just Identity Management, it’s also Access Management

4 4 What KIM is Not A Full-Fledged Identity Management System Provisioning Hooks to update other systems Duplication Management An Identity Aggregator An Authentication Implementation

5 Why Did We Create KIM?

6 6 Motivations Expansion of Kuali Common Identity Management API Consistent Authorization Implementation

7 7 What we did not want KF S KC KS IDM

8 8 What we did want KF S KC KS KI M

9 9 Design Considerations Existence of Other IdM Solutions Legacy/Existing Implementations Replaceable Services Separation of Concerns Service Bus Maintenance GUIs

10 KIM Terminology

11 11 KIM Terminology Namespace Entity Principal Principal ID Principal Name Person Entity Type

12 12 KIM Terminology Group Role Qualifier Permission / Permission Template Responsibility / Responsibility Template

13 13 Namespace Prevent Naming Conflicts Allow for Permissions to be Segmented Examples: KR-KNS KR-WRKFLW KFS-SYS KFS-AP KC-SYS

14 14 Entity Principal Principal ID Principal Name Entity Type Names Addresses Phone Numbers Email Addresses

15 15 Group Namespace Group Type Attributes

16 16 Role Namespace Role Type Qualifiers Role Type Services Delegations Primary Secondary

17 17 Permission / Permission Template Permission Template Permission Permission Details Permission Type Service Assigned to Roles

18 18 Responsibility / Responsibility Template Responsibility Template Review Resolve Exception Responsibility Responsibility Details Responsibility Type Service Assigned to Roles

19 KIM Services

20 20 Components Service Interface API KNS-Based Default Implementation Functional Maintenance User Interfaces

21 21 KIM Services Authentication Service Identity Service Group Service Role Service Permission Service Responsibility Service

22 22 Authentication Service Provides authentication at the web tier of an application Informs the application of the principal name that has authenticated Default implementation just uses the “remote user” on the HTTP request Only one service operation Get principal name

23 23 Identity Service Responsible for Principals and Entities Principals have a “name” which is intended to be the user name they use to authenticate All principals are associated with an entity There can be different types of entities, including Person and System Entities can have custom attributes and IDs attached to them

24 24 Identity Service Numerous pieces of data can be stored about an entity including: names, affiliations, external ids, employment information, address, phone, email, privacy preferences (FERPA), etc. Example Service Operations: Get principal by id Get principal by principal name Get entity info by id Get entity info by principal id Get entity privacy preferences

25 25 Group Service All groups identified uniquely by id or namespace + name Supports nested groups Groups can also have custom attributes associated Example Service Operations: Get group by id Get group by name Get groups for principal Is member of group Get member group ids

26 26 Role Service Roles can have members that are principals, groups or even other roles All members assigned to a role will be granted any permissions or responsibilities that are associated with the role Role membership can optionally be qualified Example Service Operations: Get role by name Get role qualifiers for principal Get role members

27 27 Permission Service KIM has the concepts of Permission Templates and Permissions Permission Template represents some course-grained permission Use Screen, Initiate Document, Maintain Records, etc. A Permission is created from a template and has more specific information identified on it’s permission details for example “Initiate Document” of type “Transfer of Funds”

28 28 Permission Service Evaluation of permissions is handled by the permission service. KIM provides plug points for implementing custom logic for permission checking Example: permission checks based on hierarchical data Example Service Operations: Is principal authorized by permission name with details Is principal authorized by permission template name with details Get assignees for permission Get authorized permissions for principal Get ids of roles that have given permission

29 29 Responsibility Service Provides integration of KIM with workflow engine via Responsibility Actions These define what actions the principal needs to take (i.e. approve, acknowledge, fyi) on workflow processes Responsibility details identity when these actions are applied during the routing process Responsibility Actions also provide delegation support (for both routing and permission delegation) Example Service Operations: Get responsibilities by name Get responsibility actions Get responsibility actions by responsibility template Does principal have responsibility

30 30 More KIM Services Identity Management Service Role Management Service Person Service Identity Archive Service “Update” Services

31 31 KIM Service Architecture

32 32 Role Types Name Attributes Service Name

33 33 Role Type Services Role Behavior Matching of Attributes Validation of Attributes Handling of Contained Roles Application Roles

34 34 Questions? Web Site: http://kim.kuali.org Docs: http://rice.kuali.org/docs/1.0.1http://rice.kuali.org/docs/1.0.1 Email: rice.collab@kuali.orgrice.collab@kuali.org

Download ppt "KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions."

Similar presentations

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.
Design Validation CSCI 5801: Software Engineering.

Design Validation CSCI 5801: Software Engineering.
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.

CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.
KS Authorization Weixia (Bonnie) Huang Feb 19, 2013.

KS Authorization Weixia (Bonnie) Huang Feb 19, 2013.
6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Profiles and User Permissions Presented by: Josh Mostyn Presented by: Josh Mostyn.

6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Profiles and User Permissions Presented by: Josh Mostyn Presented by: Josh Mostyn.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, 2010 8:30 am.

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.

Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.
An Open Source Google Apps Integration (Bboogle) Patricia Goldweic, Sr. Software Engineer, Northwestern University.

An Open Source Google Apps Integration (Bboogle) Patricia Goldweic, Sr. Software Engineer, Northwestern University.
KUALI ENTERPRISE WORKFLOW OVERVIEW Eric Westfall.

KUALI ENTERPRISE WORKFLOW OVERVIEW Eric Westfall.
Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?

Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?
SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since 1991 10 years.

SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since years.
Kuali Rice at Indiana University Important Workflow Concepts Leveraged in Production Environments July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Important Workflow Concepts Leveraged in Production Environments July 29-30, 2008 Eric Westfall.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.

Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.

© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
1 Data Strategy Overview Keith Wilson Session 15.

1 Data Strategy Overview Keith Wilson Session 15.
Rapid Development of Workflow-enabled Forms using eDocLite

Rapid Development of Workflow-enabled Forms using eDocLite

Similar presentations

Ads by Google