1. Categorizing Access Management Challenges  Rob Carter, Duke University  Scott Fullerton, University of Wisconsin

2. Overview  What’s all the fuss about, anyway?  Maybe there’s an approach we can use…  Overview and survey of higher ed use cases  Breakin’ up big rocks…  Trying the approach on for size  Some edge cases from out in the wild

3. What’s all the fuss about?  Why is access management like the weather?  Everyone talks about it, but (almost) no one seems to be doing anything about it  But why…

4. What’s all the fuss about?  Access management is a complex problem  Lots of moving parts; lots of stakeholders; high stakes  Viewed monolithically, it can seem utterly intractable  Access management is difficult to sell  Everyone wants it, but no one wants to deal with it  The problem space is huge  Every resource, every application, has a need for access management

5. What’s all the fuss about?  How do you solve a problem like Maria?  Maria, who is the Dean of Medicine and wants to implement what she thinks is a simple rule…  …In the campus purchasing system …  … principal investigators should be able to…  … approve purchases …

6. What’s all the fuss about?  How do you solve a problem like Maria?  Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule…  …In the campus purchasing system …  … principal investigators should be able to…  … approve purchases …  … up to $100,000 …  … for research projects…

7. What’s all the fuss about?  How do you solve a problem like Maria?  Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule…  …In the campus purchasing system …  … principal investigators should be able to…  … approve purchases …  … up to $100,000 …  … for research projects…  …provided they have completed training on University purchasing processes…  …and have filed the appropriate conflict of interest documentation …

8. What’s all the fuss about?  How do you solve a problem like Maria?  Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule…  …In the campus purchasing system …  … principal investigators should be able to…  … approve purchases …  … up to $100,000 …  … for research projects…  …provided they have completed training on University purchasing processes…  …and have filed the appropriate conflict of interest documentation …  …until July 1, 2010…

9. What’s all the fuss about?  The large print giveth (and the small print taketh away)…  And that’s only one of thousands of scenarios…

10. What’s all the fuss about?  …it’s no wonder the problem can seem intractable…

11. Maybe there’s an approach… Start from use cases or user stories  Usually short (at least to begin with)  Describe scenarios in terms the actors understand  Help define the problem space as well as provide fodder for analysis  Help ensure that solutions actually address real world problems

12. Maybe there’s an approach… Evaluate, analyze, and decompose  Try to break down use cases into common constituent parts  Evaluate the breakdown; identify unique features…  …and possibly some common features

13. Maybe there’s an approach… Compare, abstract, and organize  Look for similarities across cases  Even dramatically different situations may yield to similar treatment  Start to categorize the similarities; taxonomize

14. Maybe there’s an approach… Identify classes of solutions; lather, rinse, repeat  Consider the resources you might use to build solutions, and start to associate potential solutions with categories of problems, applying one or more solutions associated with the category to new problems identified in that category, refining your categories and solutions as you gain experience, or…  …to quota Zippy the Pinhead:  “If it WIGGLES, SQUISH it!”

15. Maybe there’s an approach…

16. Use Case Survey  If you didn’t get to see them…  https://spaces.internet2.edu/display/CAMPJune2009/Use+C ases+Organized+by+Area+of+Interest https://spaces.internet2.edu/display/CAMPJune2009/Use+C ases+Organized+by+Area+of+Interest  Use cases categorized by where they arise  Good for surveying purposes…

17. Use Case Survey Business Operations Cases Deal With…  Money, budgets, purchases, accounts  Human Resources and management  Employee relationships  Employee identities Business Operations Cases Address…  Organizational structure  Delegation  PCI compliance  Audit

18. Use Case Survey Academic / Research Cases Deal With…  Learners, instructors, faculty  Classes, registration  Research products  Collaborators  Pedagogy  Evaluation (testing, grading) Academic / Research Cases Address…  Faculty hierarchy  Course hierarchy  FERPA  Research collaboration  Accreditation

19. Use Case Survey Residential Life Cases Deal With…  Students, staff, advisors  Housing  Safety  Physical access Residential Life Cases Address…  Multiple affiliations  Transient privileges  Short privilege lifecycles

20. Use Case Survey Library Use Cases Deal With…  Patrons, Librarians  Catalogs and collections  Collaborators  Professional organizations Library Use Cases Address…  Privacy  Anonymity  Blended identity  Federations

21. Use Case Survey Medical Center Use Cases Deal With…  Physicians, nurses, patients  Medical records  Referrals and consultations  Controlled substances Medical Center Use Cases Address…  Urgency and Expediency  Credentialing and qualifications  HIPAA  Oversight

22. Use Case Survey  Use cases from these six areas seem disjoint  Different actors and objects  Different activities  Different concerns and complexities  But of course, we wouldn’t be talking…

23. Analytic Approach Lines of decomposition  Subjects  Grantor, grantee, resource  Functions or Permissions  Approve, update, authorize, add, delete, view, etc.  Constraints  Time limits; extents; scope

24. Analytic Approach Subjects  How are they (or could they be identified?)  Ad Hoc List?  Authoritative Source?  Algorithmic?  Self-described?  Are they singleton or multiple?

25. Analytic Approach Functions or Permissions  Are permissions…  Singletons?  Collections?  Are permissions defined by…  Business role or activity?  Inheritance or delegation?  Ad hoc or Fiat? (but not GM )

26. Analytic Approach Constraints  Are grants to be limited…  in time?  in scope?  in extent?  Are limits controlled by…  Fiat?  Business role?  Hierarchical position?  Prerequisites?

27. Categorization We might imagine, then, using this decomposition to classify use cases based on some common features, eg.:  Single grantor, single grantee, single permission by fiat with no constraints (I give my car keys to my wife)  Single grantor, multiple grantees identified by authoritative sources, multiple permissions by business role with no constraints (I allow my students into my wiki without restriction)  Multiple grantors identified by, multiple grantees identified ad hoc, single permission with no constraints (Deans can designate visitors who have access to the faculty club pool)

28. Categorization Business Case #4  Wellness Program Participation - A university's HR department offers a health and wellness program for university staff and faculty. The program is entirely voluntary. Participation requires a commitment by the employee to engage in a short online health awareness exercise, in return for which the university offers participants discounts on services at the university health club as well as periodic special offers from area business deemed by the university to be offering wellness-supporting services. A new employee in the physical plant hears about the program during an HR orientation and visits a web site to sign up. Once enrolled in the program, the employee has access to the program's web portal and receives weekly email reminders about training opportunities and special offers.  Authority rests with HR department (business role)  Grantor and grantee are the same, self- identified but constrained by authoritative source (only staff and faculty)  Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (HR provides eligible “staff” and “faculty” lists)  Constraint: the grantee must accept terms and conditions of the program before being enrolled.

29. Categorization Academic Case #5  FERPA Information Restricted - Under federal regulations, certain educational records information about students may be categorized as "directory information" and may be disclosed by institutions without prior consent from students. Students reserve the right under FERPA, however, to have disclosure of their directory information blocked upon request. An undergraduate Engineer becomes concerned that a high-school acquaintance may be stalking her, and wishes to have her contact information (name, address, email address, telephone number) blocked from view. The Registrar considers those data elements to be directory information under FERPA, and discloses them by default. The student visits a FERPA portal system and marks those data elements as FERPA protected information in her records. Subsequently, applications that access student educational information and IdM data about students refuse to allow access to the student's contact information except when the requester is identified as having an academic need to see the information.  Authority rests with the Registrar (business role)  Grantor is self-identified but constrained by authoritative source (only students may exert FERPA rights)  Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (Registrar may provide a list of covered students)  Constraint: grantees must identify (in some unspecified fashion) an academic need for information

30. Categorization  Academic Case #5  Authority rests with the Registrar (business role)  Grantor is self-identified but constrained by authoritative source (only students may exert FERPA rights)  Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (Registrar may provide a list of covered students)  Constraint: grantees must be identify (in some unspecified fashion) an academic need for information Business Case #4  Authority rests with HR department (business role)  Grantor and grantee are the same, self- identified but constrained by authoritative source (only staff and faculty)  Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (HR provides eligible “staff” and “faculty” lists)  Constraint: the grantee must accept terms and conditions of the program before being enrolled.

31. Categorization Business Case #3  Clery Notification - Richard is the institutions Vice President of Public Safety, and as such, he is authorized within an emergency notification system to approve Clery Act notifications which will be sent via multiple venues to the entire campus community. Richard schedules a two week vacation in Europe. He delegates his Clery role to the Chief of Campus Police, Trish, during his two week absence, allowing her to approve Clery notices in his stead. When a pair or armed robberies is reported outside a student dormitory one week later, Trish is able to approve a Clery notification for distribution on Richard's behalf. Upon his return from vacation, Richard revokes the delegation of his Clery role, and Trish loses her ability to approve Clery notices in the system.  Authority rests with the single grantor, who is identified by an authoritative source and whose authority comes from his business role (VP of Public Safety)  Single grantee is identified by organizational hierarchy (as Richard’s direct report) and by fiat (he designates her as such).  Single permission assigned ad hoc (approve Clery notifications)  Constraints: 2-week time limit  Note: this is a case of delegation – Richard is conferring his privilege on Trish

32. Categorization Academic Case #3  TA Grade Access - A university uses its LMS to handle mid-term grade reporting - faculty enter grades for assignments and mid-term quizzes and exams in the LMS, where students can review them online and track their progress until the end of the term. The LMS automatically assigns grade entry privileges to instructors (as identified by the student registration system). Professor Gamow chooses to have one of his graduate students act as TA for his EM Fields course and delegates his grade reporting privileges in the LMS to his student. The student is then able to report grades for students in the EM Fields class within the LMS. When final grades are due, Professor Gamow reports them to the Registrar based on information previously reported in the LMS.  Authority rests with the single grantor, who is identified by an authoritative source and whose authority comes from his job function (faculty, instructor for EM Fields)  Single grantee is identified by organizational hierarchy (as Prof. Gamow’s graduate student) and by fiat (he designates her as such).  Single permission assigned ad hoc (in the LMS, report grades for students in the class)  Constraints: none expressed  Note: this is a case of delegation – Gamow is conferring his privilege on the TA

33. Categorization Medical Case #1  Chart Access by Consulting Physician - Hospital rules interpret HIPAA privacy regulations to dictate that only those medical staff and faculty directly involved in the care of an individual patient should have access to view that patient's medical records during treatment. Faculty in the medical school may have access to depersonalized medical data for purposes of research and instruction, but may only view personally identifiable medical information if referred a patient by an attending physician. An attending physician in the ER is treating a patient with symptoms of West Nile viral infection, and needs a consultation from an Infectious Disease specialist in the Medical School. The attending instigates a consultation and referral process which grants the ID specialist temporary access to view the patient's medical records. Once the consultation is complete, the ID specialist's access is revoked automatically..  Authority rests with the single grantor, who is identified by current job function (admitting physician for a given patient).  Single grantee is identified by fiat (the attending specifically calls out the consultation) but limited by business role (must be medical staff or faculty)  Single privilege assigned ad hoc (view rights to the single patient’s medical record)  Constraints: when consultation is completed, privilege is revoked.  Note: this is a case of delegation and also (possibly) a case of automated workflow (the attending designates the faculty member as a consultant, which in turn triggers the actual privilege being granted).

34. Categorization  Five disparate use cases drawn from three different areas of the enterprise involving people in vastly different environments  Striking similarities – two cases boil down to almost the same underlying situation (a self-identified member of an organizationally managed group exercises an opt in/out option to gain or restrict other privileges)  Three other cases boil down to almost the same situation (a grantor with authority based on job function delegates his own privilege to a specific grantee selected from a set constrained by organizational hierarchy for a limited time).

35. Solutions  In the first two cases, we might imagine that similar solutions might be applied, perhaps…  …an ad hoc list mechanism for opt-in/opt-out recording  …with access to update one’s preference limited by membership in an official, dynamic group  In the second three cases, we might similarly imagine…  …some sort of ad hoc list mechanism to designate the grantee  …some representation of organizational hierarchy to constrain the designation…perhaps in the form of a group…  …some time-based triggering mechanism (a cron tasker, perhaps) which can be used to trigger time-based limitations…

36. Solutions  We’ll spend time later today considering other use cases – particularly those you have from your own experience  We’ll spend more time tomorrow and Wednesday focusing on the solutions that may be applicable to different use cases

37.  Use Cases from the Edge

38. The FFEL Student Loan Industry  About Great Lakes and FFEL  A taste of the industry  Typical FFEL use cases  Overlapping borrower views  Meteor

39. Great Lakes Higher Education http://www.mygreatlakes.org/ http://www.mygreatlakes.org/  Disclaimer  The Federal Family Educational Loan (FFEL) Program  About Great Lakes  Great Lakes plays many roles  Is a guarantor  Is a lender servicer (many flavors)  Is a guarantor servicer Them

40. Great Lakes operations  Support for the borrower  Support for the school financial aid office  Support for the serviced lender  Support for the serviced guaranty agency

41. A taste of the industry  Coopetition: that cu- rayzy dance  Close involvement with the Dept of Education

42. A taste of the industry  Very dynamic: radical changes to the environment practically every year.

43. Typical FFEL/Great Lakes use cases  B2B: Data in motion securely to the right entities  Kuali dictum applies in spades:  http://wiki.collectionspace.org/display/collectionspace/Kuali+Authorization+Service  Most authorizations are scoped to a particular context. Very few entities can perform the same function in all cases  School sees all their data  Serviced guarantor sees all its data; Great Lakes sees none  Lender sees all its borrowers, but only for loans it holds  Borrower sees all her data irrespective of lender  Great Lakes worker sees all data supporting the servicing and guaranty functions

44. Meteor: a short summary http://www.nchelp.org/pages/page.cfm?id=22  A non-proprietary, open source software implementation that brings together data from multiple distributed databases from across the higher education financing community.  Provides information on FFELP loans.  Allows schools to resolve discrepancies by using real-time data that comes directly from loan holders’ databases

45. How Meteor works  Access Provider  Authentication Agents  Data Provider  Index Provider

46. Meteor and the National Student Clearinghouse  Meteor integrated into Clearinghouse Student Self-Service application  Schools that have entered into an electronic services agreement with the Clearinghouse can act as Authentication Agents  For schools that wish to provide students with Meteor access, Meteor loan detail is incorporated into LoanLocator display

50. Other edge cases?  Campus book stores and class information  University foundations wanting alumni information  Other semi-independent entities, e.g., Student Unions  State university systems

51. Back from the edge  Discussion