Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs-050701-01.ppt Keith Hazelton

Published byShana O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs-050701-01.ppt Keith Hazelton"— Presentation transcript:

1 Advanced CAMP Emerging from the mists: Requirements for supporting VOs http://arch.doit.wisc.edu/keith/camp/ voReqs-050701-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE Advanced CAMP, Denver, July 1, 2005

2 Advanced CAMP 2 Federated Identity & Access Management (FIAM) FIAM: Self-predicting term in Latin: “I will be made” –root meaning: to make: –passive voice, –indicative mood, –future tense God bless the VO known as WIKIpedia

3 Advanced CAMP 3 VO challenges I heard at CAMP VO support utilities must be as easy to use as –managing a local collaboration team –sharing applications on a single host …or else? Or else the latter is exactly how it will be done

4 Advanced CAMP 4 VO challenges I heard at CAMP For both ScienceGateway & Vivarium: IdPs and SPs in a given VO will need mechanisms by which they –come to agreements on –manage –and use information. What information?

5 Advanced CAMP 5 VO challenges I heard at CAMP Well, MINIMALLY, information re: what user affiliations/groups there are (IdP) what resource/host-level privileges members of those affiliations should have (SP) what (SAML) attribute & values will express those affiliations/groups (IdP/SP agreement)

6 Advanced CAMP 6 Managing Roles & Privileges: The Internet2 way Grouper Signet Role-Based Access Control (RBAC) model Users are placed into groups Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups

7 Advanced CAMP 7 MAXIMAL case: Model from Signet Business View Categories Functions Subsystems Clinical Trial Protocol A Patient Records Materials Control Manage Grant Lab Access Administration Student Admin Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid Limits Which term From Fund… Read/Write Hours For school… For fund… Which campus Qty/day $ constraints organizing actions

8 Advanced CAMP 8 VO challenges I heard at CAMP MAXIMALLY, information re: what subsystems there are what functions in what organizing categories there are what affiliations/groups have those categories/functions on those subsystems what resource/host-level privileges are required to perform those functions

9 Advanced CAMP 9 VO challenges I heard at CAMP And information re: what attributes will express those groups and privileges which party will maintain the registries and delivery services for which bits of this information Signet suggested these categories of information

10 Advanced CAMP 10 Bold Conclusion (for debate) IdP site should manage users, groups/affiliations SP site should manage system-level permissions and what groups/affiliations get which ones That’s it! (for MINIMAL entry-level case)

11 Advanced CAMP 11 Bold Conclusion MAXIMAL case (for debate) IdP site should manage users, groups/affiliations SP site should manage system-level permissions Both must agree on subsystems and categories of functions down to syntax and semantics of attributes/expressions IdP should maintain map from user/group to function SP should maintain map from function to permissions

12 Advanced CAMP 12 VO challenges I heard at CAMP MUST have: Delegable IAM admin services with absolutely no dependencies on the specific institutional home base of the users the administrator(s) the service(s)

13 Advanced CAMP 13 VO challenges I heard at CAMP Users make requests that service providers approve or deny. The decision will sometimes depend on amalgamated bits of identity info…. …for which a variety of IdPs are the authoritative source. Whose job is it to overcome identity fragmentation at the federation level?

14 Advanced CAMP 14 Q & A

Download ppt "Advanced CAMP Emerging from the mists: Requirements for supporting VOs voReqs-050701-01.ppt Keith Hazelton"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.

EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
How Do You Establish Student Identity Remotely: A Survey Keith Hazelton, University of Wisconsin-Madison Ann West, Internet2/InCommon Federation 2010 Fall.

How Do You Establish Student Identity Remotely: A Survey Keith Hazelton, University of Wisconsin-Madison Ann West, Internet2/InCommon Federation 2010 Fall.
Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,

Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.

A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.

Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Similar presentations

Ads by Google