Presentation is loading. Please wait.

Presentation is loading. Please wait.

Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame.

Published byConrad Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame."— Presentation transcript:

1 Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame du Lac Email: BBellina@nd.eduBBellina@nd.edu Copyright © Brendan Bellina, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 May 13, 2003Copyright © 2003, University of Notre Dame du Lac2 Confidentiality in U.S. Higher Education

3 May 13, 2003Copyright © 2003, University of Notre Dame du Lac3 Family Educational Rights and Privacy Act (FERPA) Institution definition of “Directory Information” –Full name –Address –Telephone number –Day and place of birth –College, major, or level –Participation in officially recognized activities and sports –Weight and height of members of athletic teams –Dates of attendance –Full or part-time status –Degrees and awards received –Most recent previous educational agency or institution attended by the student –Other similar information such as a photograph

4 May 13, 2003Copyright © 2003, University of Notre Dame du Lac4 Family Educational Rights and Privacy Act (FERPA) Excerpt from the Notre Dame FERPA webpage: Directory information may be disclosed by this institution for any purpose, without the prior consent of a student, unless the student has forbidden its disclosure in writing. Students wishing to prevent disclosure of the designated directory information must file written notification to this effect with the Registrar's Office. In the event that such written notification is not filed, the University assumes that the student does not object to the release of the directory information.

5 May 13, 2003Copyright © 2003, University of Notre Dame du Lac5 Family Educational Rights and Privacy Act (FERPA) In the year following the implementation of the directory privacy functionality described here, a self-service privacy mechanism was implemented in the Student Information System. Limited to student campus/home address and phone, and spouse name Available only during SIS availability (7x18) Immediate effect for SIS applications; delayed effect for web-based applications relying upon directory services Restricts data passed to directory services, resulting in the inability of even authorized directory-enabled applications from accessing the information via the directory.

6 May 13, 2003Copyright © 2003, University of Notre Dame du Lac6 Initiating FERPA Protection: The Student Request FERPA protection at registration or… Submit formal request for FERPA protection to the Office of the Registrar providing name and/or NetID Wait for request to be processed.

7 May 13, 2003Copyright © 2003, University of Notre Dame du Lac7 Initiating FERPA Protection: The Office of the Registrar Update Student Information System record to indicate that the student has requested FERPA protection Contact the Office of Information Technologies to have electronic directories & services updated

8 May 13, 2003Copyright © 2003, University of Notre Dame du Lac8 Limitations Complex and slow– multiple steps and points of failure and delay Available only during office hours M-F 8-5 Cumbersome – requires student visit Dependent on availability of system administrators for multiple systems (core middleware, email, listserv) Limited granularity – phone, address, spouse name, or all

9 May 13, 2003Copyright © 2003, University of Notre Dame du Lac9 Unwanted Side Effects Disables growing list of functions reliant upon directory entry information, including email forwarding, auto-reply, WebCT, Active Directory services, the eProcurement system, Learning Management System, Online Registration, Online Voting… System Administrator reliance - Requires configuration modifications and coding for each request (email, listserv, AFS) Separates user account from systems of record, preventing automated revocation and information updates

10 May 13, 2003Copyright © 2003, University of Notre Dame du Lac10 Goals Self-service web application Multi-level opt-out Automate processes Reduce administrator involvement Eliminate need for coding and configuration changes 7x24x365 availability Immediate effect – no latency Attribute level granularity Eliminate need for office visit No restrictions on services caused by privacy

11 May 13, 2003Copyright © 2003, University of Notre Dame du Lac11 Steps Taken to Date Implementation of high availability Enterprise Directory Service Elimination of X.500 directories and Eudora cross-reference database to further reduce administrator involvement Web pages to allow user to edit entry content and update privacy options in the Enterprise Directory Service real-time, 7x24x365.

12 May 13, 2003Copyright © 2003, University of Notre Dame du Lac12 Steps Taken to Date FERPA protected individuals “mastered” in the Enterprise Directory Service Provide LDAP-enabled applications with service id’s authorized to access private entries Windows Active Directory domain policy to redirect Active Directory searches to the EDS

13 May 13, 2003Copyright © 2003, University of Notre Dame du Lac13 Screen Samples

14 May 13, 2003Copyright © 2003, University of Notre Dame du Lac14 EDS Authentication Screen

15 May 13, 2003Copyright © 2003, University of Notre Dame du Lac15 Directory Entry Display

16 May 13, 2003Copyright © 2003, University of Notre Dame du Lac16 Directory Entry Edit

17 May 13, 2003Copyright © 2003, University of Notre Dame du Lac17 Privacy Options

18 May 13, 2003Copyright © 2003, University of Notre Dame du Lac18 Display Preferences

19 May 13, 2003Copyright © 2003, University of Notre Dame du Lac19 Opt-out Options Entry level and Attribute Level –Private – The entry/attribute is visible only to the owner and to authorized applications. This is a selectable option for active student and departmental accounts. –ND-Only – The entry/attribute is visible to authenticated searches and to authorized applications. This is a selectable option for all active accounts. –FERPA Restrict – entry-level setting identical to “Private” except can only be set and reversed by formal request.

20 May 13, 2003Copyright © 2003, University of Notre Dame du Lac20 Usage Statistics FERPA protection / hidden account: 4 Self-service entry-level privacy: 46 Self-service entry-level ND-only: 33 Self-service attribute-level privacy: 250

21 May 13, 2003Copyright © 2003, University of Notre Dame du Lac21 How It Works

22 May 13, 2003Copyright © 2003, University of Notre Dame du Lac22 Directory Attributes: dn Directory dn (distinguished name) is comprised of: –ndGuid – a uniquely defined string of characters randomly assigned in format ndaa#aa# (ndPVid) prefixed with “nd.edu” –X.500 Directory base (avoids conflict with our Active Directory domain)

23 May 13, 2003Copyright © 2003, University of Notre Dame du Lac23 Directory Attributes: dn Intentionally avoided basing on name, NetID, department, or affiliation in order to: –(1) reduce chance of dn changes when changes occur –(2) allow anonymity without requiring entire entry to be restricted. Needed an unchanging, non-reissuable, meaningless id independent of vendor and transaction system influence.

24 May 13, 2003Copyright © 2003, University of Notre Dame du Lac24 Directory Attributes: ndEntryStatus Multi-valued attribute used to control access to the entry from applications. Allowable values: –active –restrictEDS – indicates entry restricted to only owner and authorized applications –restrictndonly – indicates entry restricted to authenticated searches only –restrictFERPA – indicates privacy cannot be altered by self-service; always coupled with restrictEDS

25 May 13, 2003Copyright © 2003, University of Notre Dame du Lac25 Directory Attributes: ndVisibilityControl Multi-valued attribute used to record access level for specific attributes Allowable values: Attribute name, + –private – indicates attribute restricted to only owner and authorized applications –ndonly – indicates attribute restricted to authenticated searches only

26 May 13, 2003Copyright © 2003, University of Notre Dame du Lac26 Directory Attributes: ndDisplayPreferences Multi-valued attribute used to record user preferences for the directory entry display screen Allowable values: –maskpriorsurname – indicates that common name values based on prior surname should not be displayed –maskuid – indicates that uid (NetID) should not be displayed

27 May 13, 2003Copyright © 2003, University of Notre Dame du Lac27 Directory Attributes: aci Entry level aci’s used to control access to entry attributes as specified in ndVisibilityControl OU level aci’s used to prevent unauthorized access to restricted attributes such as ndUniversityid, ndPermid, ndRolesAssigned

28 May 13, 2003Copyright © 2003, University of Notre Dame du Lac28 Directory Attribute Access Types Always restricted –exp. ndUniversityid, ndPermid, ndRolesAssigned, internal attributes Never restricted –exp. dn, uid Restrictions based on user preference

29 May 13, 2003Copyright © 2003, University of Notre Dame du Lac29 Directory Attribute Access Groups Groups are used to allow applications to have access to entries and attributes. Use of groups reduces directory maintenance/administrative time Groups are not visible anonymously Group dn’s are also based on ndPVid’s

30 May 13, 2003Copyright © 2003, University of Notre Dame du Lac30 Steps Remaining Elimination of public access to ph/CSO Provide web-application to Registrar to control FERPA setting Increase edit capability for FERPA entries Automate data correction for FERPA entries Implement a tie between the EDS opt-out and FERPA settings and Registrar notification

31 Links ND Enterprise Directory Service, http://www.nd.edu/~eds ND EDS Documentation, http://www.nd.edu/~eds/docs ND EDS Schema Documentation, http://www.nd.edu/~eds/docs/current_schema/EDS_ModelDoc.htm ND EDS Search, http://www.nd.edu/~eds/search eduPerson object class, http://www.educause.edu/eduperson/ Internet2 Middleware, http://middleware.internet2.edu/

32 Contact Information Brendan Bellina Office of Information Technologies University of Notre Dame du Lac Email: BBellina@nd.eduBBellina@nd.edu Website: http://www.nd.edu/~bbellina Directory Entry: http://www3.nd.edu/~eds/cgi-bin/nd_ldap_search.pl?ldapfilter=uid=bbellina vCard: http://www3.nd.edu/~eds/cgi-bin/ldapvcard.pl?uid=bbellina

Download ppt "Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame."

Similar presentations

Family Educational Rights and Privacy Act What you should know about FERPA.

Family Educational Rights and Privacy Act What you should know about FERPA.
FERPA - Sharing Student Information

FERPA - Sharing Student Information
Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
FERPA: Family Educational Rights and Privacy Act

FERPA: Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act
Family Education Rights & Privacy Act of 1974 FERPA, You, & UC.

Family Education Rights & Privacy Act of 1974 FERPA, You, & UC.
Maureen Cronin Associate Registrar for DARS University of Nevada, Reno.

Maureen Cronin Associate Registrar for DARS University of Nevada, Reno.
FERPA for Students What Every MSU Student Should Know Prepared by the Office of the Registrar.

FERPA for Students What Every MSU Student Should Know Prepared by the Office of the Registrar.
F amily E ducational R ights and P rivacy A ct University of Nebraska at Kearney.

F amily E ducational R ights and P rivacy A ct University of Nebraska at Kearney.
LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.

LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.
1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)

1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)
FERPA: WHAT YOU SHOULD KNOW ILASFAA April 18, 2008 Amy Perrin Director of Financial Aid Elgin Community College.

FERPA: WHAT YOU SHOULD KNOW ILASFAA April 18, 2008 Amy Perrin Director of Financial Aid Elgin Community College.
Family Educational Rights and Privacy Act What you need to know...

Family Educational Rights and Privacy Act What you need to know...
FERPA: Family Educational Rights and Privacy Act.

FERPA: Family Educational Rights and Privacy Act.
FERPA Skidmore College Family Education Rights & Privacy Act What is FERPA? It is the Family Educational Rights and Privacy Act of 1974. Is also referred.

FERPA Skidmore College Family Education Rights & Privacy Act What is FERPA? It is the Family Educational Rights and Privacy Act of Is also referred.
What is FERPA? Family Educational Rights and Privacy Act.

What is FERPA? Family Educational Rights and Privacy Act.
Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.

Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.
2/16/2010 The Family Educational Records and Privacy Act.

2/16/2010 The Family Educational Records and Privacy Act.
FERPA Family Educational Rights and Privacy Act or Buckley Amendment.

FERPA Family Educational Rights and Privacy Act or Buckley Amendment.
FERPA Overview for CANR Business Managers Rob Kent, MSU Assistant General Counsel October 7, 2014.

FERPA Overview for CANR Business Managers Rob Kent, MSU Assistant General Counsel October 7, 2014.

Similar presentations

Ads by Google