Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.

Published byEmery Earl Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware."— Presentation transcript:

1 Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003 Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003

2 15-Oct-03 1 Authorization related services: A broad vision and selected details UW-Madison as a concrete reference point for thinking Authorization thoughts

3 15-Oct-03 2 Core middleware services suite

4 15-Oct-03 3 Core middleware services suite Identity Mgmt Services

5 15-Oct-03 4 Core Middleware Services: Directory / Identity Mgmt. AuthZ Info Mgmt.: Internet2 Grouper, Stanford Authority (PrivGroups), UW-Msn PASE Source system a Source system b Source system c

6 15-Oct-03 5 Core middleware services suite Identity Mgmt Services Security Services AuthN / AuthZ…

7 15-Oct-03 6 Core Middleware Services: Authentication, Authorization,… AuthZ Info Access: Shibboleth (intra and inter-inst.) AuthN: LDAP bind; PKI

8 15-Oct-03 7 PASE: A system for managing authorization information A secure, delegated service to maintain and provide information about: Populations of interest to the university Affiliations (or roles) that a person has Services that members of a role get (i.e. what they are entitled to do)

9 15-Oct-03 8 PASE and authorization Typically, authorization decisions indicates whether a person or other principal is permitted to access a requested resource or invoke a requested service PASE is an authorization information management tool; it helps us manage key information needed for authorization processes PASE is the companion to our Identity Management System -- The University Directory Service (UDS)

10 15-Oct-03 9 Current Limitations: Handling all populations Having clearly defined affiliation information Applying and documenting rules about who gets what Getting timely information with which to make access control decisions Handling special populations

11 15-Oct-03 10 Current limitations: handling special populations No system support for defining new types of affiliations Binary entitlement: Either a person gets all services or gets none No delegated management: For defining new groups of people For granting group members access to services Result: Difficult to add new groups

12 15-Oct-03 11 What is needed: An authorization information system with: Flexibility to handle new services and population types without reprogramminng or other undo hassle Logical “single source” AuthZ info repository Secure, delegated administration A framework on which to implement policy

13 15-Oct-03 12 PASE relates the correct entities for greater flexibility and scalability A sponsor (Source) person affiliation service provider who has registers which is mapped to which consists of which is owned by

14 15-Oct-03 13 PASE, peer institutions and NMI/Internet2 Draws from pioneer efforts Stanford’s Authority system MIT’s Roles DB Internet2 Grouper WG On the cutting edge Similar efforts at some institutions We are one of the {b}leaders

15 15-Oct-03 14 The non-technical aspects of PASE Interests of sponsors and service providers are often not fully aligned Need for a business process to agree on mappings between affiliations and service bundles New role for sponsors as a result of their greater control: advocate for populations in negotiations with service providers

16 15-Oct-03 15 PASE Development: An Iterative Approach We intend to deliver PASE services in several phases. First cut: A Pilot To create the underlying structure end-to-end To provide many of the functions for managing entities and their relationships To manage risks (e.g., service disruption) To assess design choices and make adjustments with minimum impact

17 15-Oct-03 16 PASE Pilot – Spec Auth Retirees Sponsor: Office of Human Resources Person (Population): Retiree bio/demo data Affiliation: Retirees Affiliation Types: UW-Madison, UW Extension, UW System Administration and UW Colleges Service Bundle: “Bucky Bundle” Services: UW Madison Libraries, My UW Madison Portal, UW Madison Photo Identification, UW Madison Recreational Sports, etc. Service Provider: Service Representatives

18 15-Oct-03 17 PASE Pilot - Out of Pilot Scope General access to information, both to maintain the data and use the data for authorization decisions Negotiation between Sponsors and Service Providers Batch inputs

19 15-Oct-03 18 What’s Next? Report the results of the pilot Capture current services’ authorization rules Define roles and responsibilities of the various players Refine the links to UDS Develop interfaces to service providers

20 15-Oct-03 19 More on PASE http://www.doit.wisc.edu/middleware/pase /index.asp Scott Fullerton fullerton@doit.wisc.edu

21 15-Oct-03 20 Identity Mgmt Services Security Services AuthN / AuthZ… What’s off this frame? Target-side: Evaluating authZ info and policies

22 15-Oct-03 21 What’s off this frame? Target-side: processing authZ info and policies

23 15-Oct-03 22 Appendix: PASE Terms Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process.

24 15-Oct-03 23 PASE Terms (continued) Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data. Service Provider: The organizational entity responsible for a service. Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).

Download ppt "Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware."

Similar presentations

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
June 10-15, 2012 Growing Community; Growing Possibilities Benn Oshrin, The Oshrinium, LLC Keith Hazelton, UW-Madison, Internet2 CIFER Community Identity.

June 10-15, 2012 Growing Community; Growing Possibilities Benn Oshrin, The Oshrinium, LLC Keith Hazelton, UW-Madison, Internet2 CIFER Community Identity.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
SIMI: Secure Identity Management Infrastructure for the CSU A. Michael Berman, Cal Poly Pomona.

SIMI: Secure Identity Management Infrastructure for the CSU A. Michael Berman, Cal Poly Pomona.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Chapter 3: The Project Management Process Groups

Chapter 3: The Project Management Process Groups
Business Intelligence Dr. Mahdi Esmaeili 1. Technical Infrastructure Evaluation Hardware Network Middleware Database Management Systems Tools and Standards.

Business Intelligence Dr. Mahdi Esmaeili 1. Technical Infrastructure Evaluation Hardware Network Middleware Database Management Systems Tools and Standards.
CORDRA Philip V.W. Dodds March 2004. The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Enterprise Architecture

Enterprise Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?

Similar presentations

Ads by Google