Privilege Management: the Big Picture

Slides:



Advertisements
Similar presentations
A Successful Help Desk Process for all IT Support
Advertisements

A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Chapter 6 Database Design
Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.
David Sweeney, Director Brooke Woodruff, IT Manager
Easing into the paperless era with Workflow Managers Christopher Zorn, Brian Dadin, Frank Starmer IT Lab Medical University of South Carolina Copyright.
Western Illinois University - Electronic Student Services Copyright Statement Copyright Western Illinois University – Electronic Student Services 2001.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
Copyright © 2003, Scott Higgins and Marianne Hollis Copyright Statement This work is the intellectual property of the authors. Permission is granted for.
Marywood University, Scranton, PA Small Staff– Big Demands : Computer Training and User Support in Higher Education Kay McClintock, M.S. Coordinator of.
Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.
Project Portfolio Management at Georgia State University Randall Alberts, PMP, SSBB
Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, This work is the intellectual property of the authors. Permission.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Center for Planning and Information Technology T HE C ATHOLIC U NIVERSITY of A MERICA ERP Systems: Ongoing Support Challenges and Opportunities Copyright.
Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
IST 210 Database Design Process IST 210 Todd S. Bacastow January 2005.
March 26, 2003The Navigo Project Hans C. Masing, The University of Michigan Lance D. Speelmon, Indiana University An IMS and OKI Compliant Open Source.
Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Setting up Privilege Management with Signet Metadata.
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
Windows Role-Based Access Control Longhorn Update
Effective Distribution of Academically Licensed Software ©2008 Brent West. This work is the intellectual property of the author. Permission is granted.
Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
Electronic Research Administration National Institutes of Health Electronic Research Administration National Institutes of Health 1 “Organizational Hierarchies”
Moving Forward in Stages Tom Barton, University of Chicago.
IST 210 Database Design Process IST 210, Section 1 Todd S. Bacastow January 2004.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
University of Southern California Identity and Access Management (IAM)
Thomas Danford | June 3, #SERC10
SupportU 24x7: Implementing and Maintaining a Co-Managed Help Desk
Federated Identity Management at Virginia Tech
Julian Hooker Assistant Managing Director Educause Southwest
I2/NMI Update: Signet, Grouper, & GridShib
Project Prioritization Made Easy
Identity and Access Management:
Chapter 6 Database Design
Defining an IT Workflow, from Request to Support
IT All Staff M. Mundrane 16 March 2018.
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
Blaine A. Brownell, President,
University of Southern California Identity and Access Management (IAM)
Project for OnLine Instructional Support (POLIS)
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
Signet Privilege Management
An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.
Technical Topics in Privilege Management
Managing Enterprise Directories: Operational Issues
PDI: Intro to Grouper Jeff Ruch Jeff Ruch ACNS Middleware
Signet & Privilege Management
Signet Privilege Management
Presentation transcript:

Privilege Management: the Big Picture nmi-edit Privilege Management: the Big Picture 2004 Advanced CAMP Authority Architectures Workshop Boulder, June 30, 2004 Lynn McRae Stanford University lmcrae@stanford.edu Copyright Lynn McRae, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 12/1/2018

The Path to Privilege Management Local accounts, individuals mapped to permissions list Local accounts mapped to local groups mapped to permissions list Integration with external information -- affiliations, status, etc. Integration with institutional group/roles Centralized privilege management Taxonomy of methods for managing security 12/1/2018

PM -- Local accounts Individuals mapped to permissions list No policy control and tracking Historically weak life-cycle controls Does not support cross-system privileges Magic elf -- that person who you write to to open a new account, you email to update privileges, where help tickets get routed to to fix access. They work through product panels, or edit acls directly, a human element that can be prone to error. Supports an exception-driven process, you lose track of WHY a person has a permission -- was it because of a role or a special request, how long should it last…etc 12/1/2018

PM - Local accounts & groups Local privileges grouped for categories of access If done well can reflect roles or policy But interpretation of policy across many systems Still not cross-system 12/1/2018

PM - External data Opportunity to automate lifecycle “User” is for session/preferences, not control A start at roles-based authorization Rules for mapping relationships to permissions still implemented across systems 12/1/2018

PM -- Institutional groups & roles Mapping people to groups is implemented once Consistency from common group definitions Improved roles-based authorization Applications still have local mapping to privileges 12/1/2018

PM - Central Management Single implementation mapping person to privileges, or person to group to privileges Independent from specific systems & technologies Allows privileges to be shared across systems Central rules can be complex or simple, but done once; central priv management can operate against individuals or against the groups 12/1/2018

Role- vs Privilege-based AuthZ Both approaches are viable, complementary Roles (cf. eduPersonIsMemberOf) Inter-realm, specific privileges vary in different contexts e.g. Instructor can submit grades at one site, readonly at another Eligibilility (can have) instead of authorization (can do) e.g. Faculty/Staff /Students get free email from specific provider Privileges (cf. eduPersonEntitlement) Permissions should be the same across service providers Service providers do not need to know rules or reason behind authorization e.g. Building access regardless of why -- has office in building, taking class in building, authorized by building manager 12/1/2018

Central Privilege Management A system independent source for defining and administering privilege data Central repository simplifies policy management and tracking Consistent application of rules across systems Levels of institutional commitment NOT an authorization service… A source of data for an authorization service Integrates with local system security Integrates with authorization mechanisms What is an authorization service? 12/1/2018

What is Signet? A Privilege Management System & toolkit Software to define an organization’s privileges Software to manage privilege information A web user interface for distributed assigning and viewing privilege information Components/APIs for integrating with other systems NSF funded Internet2 /MACE project Part of AuthZ core middleware initiative 12/1/2018

Demo - Stanford Authority Manager home page 12/1/2018

Demo - Stanford Authority Manager home page 12/1/2018

Demo - Stanford Authority Manager - User view 12/1/2018

Demo - Stanford Authority Manager - Granting 12/1/2018

Demo - Stanford Authority Manager - Granting 12/1/2018

Demo - Stanford Authority Manager - Granting 12/1/2018

Demo - Stanford Authority Manager -Granting 12/1/2018

Demo - Stanford Authority Manager - Granting 12/1/2018

Demo - Stanford Authority Manager - Granting 12/1/2018

Demo - Stanford Authority Manager - Granting 12/1/2018

Demo - Stanford Authority Manager - User view 12/1/2018

Privileges building blocks 12/1/2018

Privileges building blocks Business view Subsystems Categories Functions System view Entitlements Shared Scope, Limits Pre-requisites, Conditions 12/1/2018

Subsystems Highest unit of organization, defines domains of ownership and responsibility One built-in subsystem to manage other authority subsystems Reflect real world organizational boundaries and areas of responsibility Can be large or small 12/1/2018

Categories Group privileges into topics within a subsystem Organize data logically for UI and reports Some control features, e.g., choose one vs choose many 12/1/2018

Function/Tasks/Entitlements 12/1/2018 financial_SQLGL:DelphiEnt_EN_GL_Inquiry

Scope Places privileges in a hierarchical context Distributed delegation via a chain of authority “you can only give what you have” Independent of personnel hierarchy 12/1/2018

Limits One or more qualifiers for a privilege Choice types: Numeric, ranges Single/multiple choice User input values, edited against domain of values Scoped limits -- things “owned” by items in a hierarchy Knows “less” or “fewer” for delegation 12/1/2018

Entitlement integration 12/1/2018

Assignment features Prerequisites (auto-activation) Conditions (auto-revocation) Having vs delegating authority 12/1/2018

Assignment features Assigning privileges to groups XML output Groups may represent roles But Role management per se is a future concern XML output Union of privileges, plus Privileges that you have as an individual Privileges you have via proxy Privileges via group membership 12/1/2018

Other features Designated drivers Notification Audit history Authority granting proxy Acting proxy Notification Audit history 12/1/2018

Assignment example By authority of the Dean grantor as soon as you are principal investigator role (group) and have completed training prerequisite you can approve purchases function in the School of Medicine scope for your research project up to $100,000 limits until January 1, 2006 condition 12/1/2018

For more information… The project web site: http://middleware.internet2.edu/signet/ Email list: signet@internet2.edu Magic elves drawing from http://intranet.hackney-lea.org.uk/highwire/srb intranet/fairy tales/fairytales/fairytales menu.html 12/1/2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.