Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Published byGyles Logan Modified over 9 years ago

Similar presentations

Presentation on theme: "Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04."— Presentation transcript:

1 Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04

2 2004-07-01 2 UW-Madison ASAP (Access to Systems Authorization Process) Chose this project because it has manageable scope for discussion purposes Use pre-Version 1.0 Signet deliverables from Phases 1-3. See draft Signet Toolkit Roadmap: http://middleware.internet2.edu/signet/docs/ internet2-mace-signet-roadmap-00.html

3 2004-07-01 3 ASAP (Access to Systems Authorization Process) Vision The current system for granting access to our enterprise systems (3270 transactions, ISIS, etc) is a laborious paper routing system. This system relies on one person (Karen L.) for routing of paper authorization forms to all data custodians and for all data custodians to "sign off" on all requests. The ASAP system would replace the paper routing system with a web based workflow engine.

4 2004-07-01 4 ASAP (Access to Systems Authorization Process) See the draft Privilege Management Recipe at http://middleware.internet2.edu/signet/ “PM separates the management of privileges from the interpretation or application of them.” “It does this through a central, shared repository of privilege information where privileges can be managed independent of any specific system or technology that needs it.”

5 2004-07-01 5 ASAP workflow Grantor Custodian Employee Biz Func

6 2004-07-01 6 ASAP workflow Grantor Custodian Employee Biz Func

7 2004-07-01 7 ASAP workflow Grantor Custodian Employee Biz Func

8 2004-07-01 8 ASAP workflow Grantor Custodian Employee Biz Func

9 2004-07-01 9 ASAP workflow Grantor Custodian Employee Biz Func

10 2004-07-01 10 ASAP workflow Grantor Custodian Employee Biz Func

11 2004-07-01 11 ASAP A workflow process for granting access to applications appropriate to an employee’s business functions Workflow steps (happy path): –Grantor assigns business function to employee, but function has entitlements that requires approval by data custodian (a prerequisite) –Entitlements needed by employee to perform business function are approved by data custodian –Employee is granted appropriate access in all relevant systems

12 2004-07-01 12 Business Function Per Privilege Management Recipe: –“Somewhere between a job which has many responsibilities, and a system permission to perform an operation such as updating a table in a database.” Example Business Functions in ASAP: –Departmental HR administration –Course Timetable administration –Financial Aid administration

13 2004-07-01 13 Entitlement Per Privilege Management Recipe: –“The atomic units of authority control, representing specific operations...” Example Entitlements in ASAP for Departmental HR Administration: –Hiring –Reclass –Maintain leave information

14 2004-07-01 14 Implementing ASAP Analysis task one: Define the suite of business functions and their entitlements –Make the implicit explicit: Departmental HR people do Staff Management. Oh, and Leave and Benefits admin. –Make the specific more general: Department level and College level HR staff business functions really differ only in scope of authority –Specify the entitlements needed to perform each business function –Specify limits and prerequisites on entitlements

15 2004-07-01 15 Implementing ASAP: A Wrinkle Analysis task two: How to handle the two-step process of grant from above and approval by custodian One Signet-based approach: grant to custodians all the access entitlements within scope of their area of custodianship Now custodians can grant subsets of their privileges to employees Employees get all they need from union of privileges from original grantor and custodian

16 2004-07-01 16 Implementing ASAP Development task one: Design and deploy a registry for the organizational hierarchy –For us, this would be based on the widely used UDDS codes (Unit, Division, Department and SubDepartment) Development task two: Deploy Signet and wire it to infrastructure including person and organizational registries

17 2004-07-01 17 Implementing ASAP with Signet: Bootstrap Phase Implementation task one: Business analyst enters defined business functions and assigns initial bootstrap grantor Task two: Bootstrap grantor delegates privileges to other grantors including custodians (grant-only flavor when appropriate vs. grant and/or exercise)

18 2004-07-01 18 Approaching ASAP via Signet Design so that grantor uses Signet to grant business functions to employees (but with the prerequisite of custodial approval) That would be designed to add items to the Signet assignment document(!) such as “Give Joanne the entitlements she needs to perform the job function of departmental HR administrator in the Molecular Biology Department”

19 2004-07-01 19 Approaching ASAP via Signet The ASAP development team designs a component that regularly scans the Signet assignment document for entitlements that need data custodian approval And formats approval requests and puts them in the workflow queue. The data custodian grants the needed privileges After approval, the prerequisite is updated in Signet (via API!)

20 2004-07-01 20 Approaching ASAP via Signet The employee’s privilege document now shows their new entitlements with prerequisites met Through provisioning, these entitlements flow to the applications and systems in question The employee has access to all the screens and data views they need Karen L. can go back to her fiends in the woodlands

21 2004-07-01 21 Enhancing ASAP via Signet Auto-provisioning of application-level access controls based on privilege document Move to an event bus approach to route “privilege management events” to subscribing apps to approach near real time PM …

22 2004-07-01 22 Q & A

Download ppt "Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04."

Similar presentations

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
HR SERVICE REQUEST SYSTEM Department Demonstrations February 2012.

HR SERVICE REQUEST SYSTEM Department Demonstrations February 2012.
LoboTime Agent Training Kit. Purpose of LoboTime Agent Training Kit: The purpose of this kit is to provide the LoboTime Agent with the tools and resources.

LoboTime Agent Training Kit. Purpose of LoboTime Agent Training Kit: The purpose of this kit is to provide the LoboTime Agent with the tools and resources.
Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.

Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
Time Sheets Go On-Line Web Time Entry Cabinet Review July 19, 2006.

Time Sheets Go On-Line Web Time Entry Cabinet Review July 19, 2006.
Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?

Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?
Map the current process

Map the current process
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
ConnectND NDUS HRMS Update ______________________________________________________________________ 3-18-04.

ConnectND NDUS HRMS Update ______________________________________________________________________
Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
Introduction to SAP R/3.

Introduction to SAP R/3.
ORGN Manager Responsibilities. Organization Codes in HR Organization (ORGN) codes used by Finance are also used by HR. Each employee is assigned to a.

ORGN Manager Responsibilities. Organization Codes in HR Organization (ORGN) codes used by Finance are also used by HR. Each employee is assigned to a.
Oracle Finance Overview for IT Advisory Group September 2004.

Oracle Finance Overview for IT Advisory Group September 2004.
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Mandatory Annual ACE Training Fiscal Year 2011 – 2012.

Mandatory Annual ACE Training Fiscal Year 2011 – 2012.
ENTERPRISE DATA INTEGRATION APPLICATION ARCHITECTURE COMMITTEE OCTOBER 8, 2012 3-5 Year Strategic Initiatives.

ENTERPRISE DATA INTEGRATION APPLICATION ARCHITECTURE COMMITTEE OCTOBER 8, Year Strategic Initiatives.
OSIAM4HE Proposed org structure Authored by the strategy and organization team.

OSIAM4HE Proposed org structure Authored by the strategy and organization team.
Manager and Employee Self Service Form I-9 Status Update and More… Systems Control November 13, 2013.

Manager and Employee Self Service Form I-9 Status Update and More… Systems Control November 13, 2013.
Mandatory Annual ACE Training Fiscal Year 2010 – 2011.

Mandatory Annual ACE Training Fiscal Year 2010 – 2011.

Similar presentations

Ads by Google