Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Published byElijah Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison."— Presentation transcript:

1 Leveraging Campus Directories: Lightweight Authorization and Group Management http://arch.doit.wisc.edu/keith/educause Keith Hazelton University of Wisconsin-Madison Internet2 Middleware Architecture Committee for Education Educause, October, 2004

2 2004-10-20Educause, Denver 2 Outline Identity Management (IdM) defined Life story of enterprise Identity Management: –The starting point: Enterprise directories –Authorization, the early years: Individuals, services, groups (NMI Project Grouper) –Authorization and privilege management: The infrastructure matures (NMI Project Signet) Exploring the early authorization phase, “lightweight authorization” Copyright Keith Hazelton, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 2004-10-20Educause, Denver 3 Identity Management (IdM) defined What is Identity Management (IdM)? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) What problems does Identity Management solve?

4 2004-10-20Educause, Denver 4 Identity Management is… “Hi! I’m Lisa.” (Identity) “…and here’s my password to prove it.” (Authentication) “I want to open the Portal to check my email.” (Authorization : Allowing Lisa to use the services for which she’s authorized) “And I want to change my grade in last semester’s Physics course.” (Authorization  : Preventing her from doing things she’s not supposed to do)

5 2004-10-20Educause, Denver 5 Identity Management is also… New hire, Assistant Professor Alice –Department wants to give her an email account before her appointment begins so they can get her off to a running start How does she get into our system and get set up with the accounts and services appropriate to faculty?

6 2004-10-20Educause, Denver 6 What questions are common to these scenarios? Are the people using these services who they claim to be? Are they a member of our campus community? Have they been given permission? Is their privacy being protected?

7 2004-10-20Educause, Denver 7 As for Lisa Sez who? –What Lisa’s username and password are? –What she should be able to do? –What she should be prevented from doing? –Scaling to the other 40,000 just like her on campus

8 2004-10-20Educause, Denver 8 As for Professor Alice What accounts and services should faculty members be given? At what point in the hiring process should these be activated? Methods need to scale to 20,000 faculty and staff There is an Identity Management aspect to each and every one of these items

9 2004-10-20Educause, Denver 9 Identity Management, the Big, Scary Picture

10 2004-10-20Educause, Denver 10 IdM Starting Point: The Enterprise Directory

11 2004-10-20Educause, Denver 11 Enterprise Directory Services The Join: Establishing identity across systems Issuing digital identity credentials Supporting authentication, Web Initial Sign- on (Web-ISO) Maintaining per-person information and identity attributes Making this available to application developers and integrators

12 2004-10-20Educause, Denver 12 Authorization, the early years IdM value realized only when access to services & information enabled Authorization support is the keystone Crude beginnings: If you can log in, you get it all Call to serve non-traditional audiences breaks this model: –Applicants –Collaborative program students

13 2004-10-20Educause, Denver 13 Authorization, the early years First refinement on “Log in, get it all:” Add service flags to the enterprise directory as additional identity information –Lisa: Eligible for email –Fred: Eligible for student health services –Sam: Enrolled in Molecular Biology 432 The horrendous scaling problem

14 2004-10-20Educause, Denver 14 Authorization, the early years Bringing in groups to deal with the scaling problem

15 2004-10-20Educause, Denver 15 Thanks to: jbarkley@nist.gov

16 2004-10-20Educause, Denver 16

17 2004-10-20Educause, Denver 17

18 2004-10-20Educause, Denver 18

19 2004-10-20Educause, Denver 19 Groups to the rescue Create a group, musketeers Say what services members of the group are eligible for Make selected individuals members of the group

20 2004-10-20Educause, Denver 20 Authorization and privilege management: The infrastructure matures (Signet) The emergence of Privilege Management: By authority of the Deangrantor principal investigatorsrole (group) who have completed trainingprerequisite can approve purchasesfunction in the School of Medicinescope for research projects up to $100,000 limits until January 1, 2006condition

21 2004-10-20Educause, Denver 21 Back to the future: Lightweight Authorization and Groups NMI project Grouper: A toolkit for lightweight (group-based) authorization Led by Tom Barton, U Chicago International collaborative project –UI being developed at Bristol in UK

22 2004-10-20Educause, Denver 22 Grouper topics The problem with groups Case study: U Chicago’s “USITE” computer labs Tour of Grouper USITE case study revisited Grouper project status

23 2004-10-20Educause, Denver 23 Groups facilitate … Customization – application UI tailored to user’s affiliations with the organization Authorization –“Lightweight” - relationship info feeding access decisions –“Heavyweight” - assignment of structured privileges to groups Messaging, scheduling, & collaboration –Departments, courses, programs, cmtes, teams, …

24 2004-10-20Educause, Denver 24 Group management issues Coordinating many sources of information Provisioning groups in many locations Supporting several styles of access to group membership information Aging of groups and of memberships Use of subgroups vs. effective membership Referring to set theoretic combinations of groups (compound groups) Privacy & visibility requirements

25 2004-10-20Educause, Denver 25 The USITE access problem Must control access to computers in labs independent of ability to authenticate U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem –You’ll see “nsit” and “usite” in names of things to follow

26 2004-10-20Educause, Denver 26 USITE access policy Students –23 categories of current students –Some entitle USITE access, some disenfranchise, others fail to entitle –Time of year dependency for some categories Current faculty & staff are entitled Other more loosely affiliated people are not entitled Exceptional administrative admits and denies across all categories above

27 2004-10-20Educause, Denver 27 Use of group management Various elemental USITE-related categories of people are modeled as groups Subgroups are used to roll-up effective admit or deny status Some groups are automatically managed, others manually Some roll-up groups are manually managed to deal with time dependency or change in access policy

28 2004-10-20Educause, Denver 28 Groups model for USITE access (ACL is “shaded green but not red”) usite_eligible (manual) admin_admit (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students time dependent student categories categories of barred students admin_deny (manual) usite_barred (manual)

29 2004-10-20Educause, Denver 29 Management related groups Management privileges for manually managed groups also need to be managed! So, more groups list who has what authority in managing groups that mediate USITE access –Director of Learning Environments –Lab Managers –Student staff

30 2004-10-20Educause, Denver 30 LDAP Data flow & Grouper’s role in USITE access uid: jdoe ucAffiliation: … isMemberOf: … SIS HR Dir. Learning Environments Lab Managers Loaders Grouper API Person registry Group registry Grouper UI Grouper API lab Grouper API Student staff

31 2004-10-20Educause, Denver 31 Grouper groups Stored in an RDBMS, the Group Registry Attributes of groups –Name –Description –Members Possible to extend the set of attributes to support groups with more specific purposes

32 2004-10-20Educause, Denver 32 Grouper privileges Access privileges - who has what access (read, write) to a group’s attributes Naming privileges - who can create a group or subdirectory in what part of the directory of groups

33 2004-10-20Educause, Denver 33 Access privileges VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group READ basic information about a group UPDATE membership and administer VIEW, READ, & UPDATE privileges ADMIN can modify everything, including group name, description, & privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list

34 2004-10-20Educause, Denver 34 Naming privileges STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories –Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege CREATE a group in a given directory

35 2004-10-20Educause, Denver 35 Built-in privilege implementation All access & naming privileges can be assigned to individual members or to groups –Subgroups, compound groups, and aging can be used to manage privileges Abstracted interfaces are presented for privilege management –Sites can hook in their own privilege management and bypass Grouper’s built-in system

36 2004-10-20Educause, Denver 36 USITE revisited – Grouper’s role Make an “nsit:usite” directory in the group registry Groups created within it –dir_learning_env, lab_managers, student_staff –usite_eligible, usite_barred –admin_admit, admin_deny Give stem privilege for “nsit:usite” to the Director of Learning Environments –She can run her groups empire within

37 2004-10-20Educause, Denver 37 USITE group access privileges usite_eligible A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of entitled students time dependent student categories categories of barred students admin_deny U:usite_manage V,R:usite_view usite_barred A:dir_learning_env V,R:all V:all

38 2004-10-20Educause, Denver 38 USITE group management privileges

39 2004-10-20Educause, Denver 39 Oh, and Personal groups Any user can create groups named personal:username:groupname Good or evil? –Yeah! Low overhead to let everyone do groups –Booo! Valuable institutional data squirreled away in unknowable spaces that go away Configuration: –on/off –Root directory for personal namespace (“personal” above)

40 2004-10-20Educause, Denver 40 Grouper v1 features API & UI for basic group management –Create, read, update, delete, import, export –Distributed management –Subgroups & compound groups –Aging of groups and memberships Abstracted interfaces for –Group and directory privileges –Subject lookup –Last activity

41 2004-10-20Educause, Denver 41 Phases of Grouper v1 development Phase 1: Basic management and export functions Phase 2: Compound groups & Signet integration Phase 3: Aging of groups and memberships Phase 1 API available before end of November 2004

42 2004-10-20Educause, Denver 42 Grouper deliverables U Chicago - Java API U Bristol - Java UI You – contributed loaders & connectors Subject Lookup implementation –jointly with Signet project Group Registry creation scripts & sample batch import/export scripts Documentation

43 2004-10-20Educause, Denver 43 Resources http://middleware.internet2.edu/dir/groups http://middleware.internet2.edu/signet hazelton@doit.wisc.edu

44 2004-10-20Educause, Denver 44 Grouper in Context

45 2004-10-20Educause, Denver 45 Process diagram

Download ppt "Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison."

Similar presentations

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,

CAMP Med Identity and Access Management: Terms and Concepts Keith Hazelton Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Med, Tempe,
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey 2007. This work is the intellectual property.

Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Copyright Jill M. Forrester 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
ERP Security Checklist ENT 2007 Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.

ERP Security Checklist ENT 2007 Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure

GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

Similar presentations

Ads by Google