Presentation is loading. Please wait.

Presentation is loading. Please wait.

Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.

Published byNeal Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania."— Presentation transcript:

1 Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania

2 Agenda Introduction to privileges VPD use case and demo with Grouper

3 Anonymous user accesses on-line directory application User goes to application, looks up public data Browser Application

4 Institution users can see private data Use authentication If you are authenticated, you are an institution user, right? Browser Application Authentication

5 Yet another story about… Yet another story about how authentication does not equal authorization…

6 Is anyone who can authenticate an institution user? Prospective students? Parents of students? Ex-employees? Alumni Anyone in the federation? … probably not…

7 Institution users can see private data Use course-grained authorization (SAML assertion, LDAP lookup, Group lookup, etc) Browser Application Authentication isInstitutionUser Authentication

8 Course-grained authorization still has (implicit) privileges The privilege objects do not exist in a system Code in the application implicitly converts the course attributes into privileges to allow the user to do stuff

9 Fine-grained local privileges The online directory contains privilege objects These privileges objects are mapped to the “institution user role” or to the individual logged-in user Browser Application isInstitutionUser Show main page Authentication Local application DB Can user run institution user queries? Can user edit own data? Can user change data for other users?

10 Fine-grained centralized privileges The privilege management system has privilege objects These privileges objects are mapped to the “directory application institution user role” or to the individual user Note: application might not need to know if institution user Centralized privilege assignments could be cached locally Browser Application Show main page Authentication Can user run institution user queries? Can user edit own data? Can user change data for other users? Centralized Privilege Management System

11 Fine-grained centralized privileges cached locally Centralized permissions cached locally Can improve performance E.g. for row level security Browser Application Show main page Authentication Can user run institution user queries? Can user edit own data? Can user change data for other users? Centralized Privilege Management System Local application DB

12 Fine-grained centralized privileges Standard protocol (FIFER?) between application and Centralized Privilege Management System Browser Application Show main page Authentication Can user run institution user queries? Can user edit own data? Can user change data for other users? Centralized Privilege Management System Fifer

13 Why use centralized permissions? Can see what resources a user has access to Better deprovisioning Enterprise point in time Applications can share permissions (e.g. several payroll applications) Cross application separation of duties Admins need fewer Uis/systems Fewer UIs to build Advanced features: rules, limits, allow/disallow, etc … especially if it is easy for application developers to use or packages to integrate with

14 Policies Rules that specify parts of access management decisions E.g. Employees with at least one active job can access the Paid-time-off application

15 Grouper-loader approach Browser Application Show main page Authentication Grouper Data warehouse Load a group “activeEmployees” based on SQL query Paid time-off user role - “activeEmployees” group is assigned to the role - “canLogin”, “canCreatePtoRequest”, “canViewOwnBalances” is assigned to the role Can user run institution user queries? Can user edit own data? Can user change data for other users?

16 Grouper loader “policy” approach Need the information available in SQL/LDAP Currently cron’ed, could use real-time (wouldn’t be hard but you need an SQL/LDAP change log notification) Can take advantage of Grouper features: Does user have access to resource? Which resources does a user have access to? Which users have access to resource? Point in time: Who had access to the resource last week? Which resources did the user have access to over the last month? Permission limits

17 Questions?

Download ppt "Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania."

Similar presentations

Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
CSC 101 Fall 2012 Felicia Furino December 13, 2012.

CSC 101 Fall 2012 Felicia Furino December 13, 2012.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.

Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training End Users Lite UI – Permissions – Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.

Grouper Training End Users Lite UI – Permissions – Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 4 Access Control Manage Principals operations in system.

Chapter 4 Access Control Manage Principals operations in system.
Identity Management, what does it solve By Gautham Mudra.

Identity Management, what does it solve By Gautham Mudra.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Grouper Training Developers and Architects How to Design Permissions Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.

Grouper Training Developers and Architects How to Design Permissions Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.

Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151.

IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
© 2007 by Prentice Hall12-1 Introduction to Oracle 10g Chapter 12 Maintaining Database Security James Perry and Gerald Post.

© 2007 by Prentice Hall12-1 Introduction to Oracle 10g Chapter 12 Maintaining Database Security James Perry and Gerald Post.
About Chris Welch Synergy – Global Reach. Local Service. - Cell - 808 255 9431 Online - USA | South.

About Chris Welch Synergy – Global Reach. Local Service. - Cell Online - USA | South.

Similar presentations

Ads by Google