Signet Privilege Management nmi-edit Signet Privilege Management 2004 Internet2 Fall Members Meeting Austin, September 29, 2004 Lynn McRae, Stanford University lmcrae@stanford.edu Copyright Lynn McRae, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 1/3/2019
What is Signet? A Privilege Management System & toolkit Tools to define privileges UI to assign privileges to people Components for integrating with other systems NSF funded Internet2 /MACE project Part of AuthZ core middleware initiative Based on Stanford Authority Management system 1/3/2019
Central Privilege Management System independent source of privilege data Simplifies policy management and tracking Consistent application of rules NOT an authorization service… Integrates with local system security Integrates with authorization mechanisms A source of data for an authorization service What is an authorization service? 1/3/2019
Signet home page 1/3/2019
Signet home page 1/3/2019
Signet home page 1/3/2019
Subsystems Define domains of ownership and responsibility Reflect real world boundaries Can be large or small One built-in subsystem to manage other subsystems 1/3/2019
Categories Group privileges into topics Organize data for UI and reports Some control features, e.g., choose one vs choose many 1/3/2019
Functions Basic unit of privilege assignment Can encapsulate one or more permissions functions 1/3/2019
Smaller subsystems Just a few functions Categories not required 1/3/2019
Signet home page 1/3/2019
Signet privilege details 1/3/2019
Signet - Person View 1/3/2019
Signet - Person View 1/3/2019
Signet - Granting 1/3/2019
Signet - Granting - Privileges 1/3/2019
Signet - Granting - Scope 1/3/2019
Scope Places privileges in a hierarchy Distributed delegation control “you can only give what you have” Independent of personnel hierarchy Each subsystem can have a different scope, or no scope 1/3/2019
Signet - Granting - Limits Qualifiers/constraints for a privilege Limit types: Numeric, ranges Single/multiple choice Input values, edited against domain of values Extensible Knows “less” or “fewer” for delegation 1/3/2019
Signet - Granting - Conditions Prerequisites (auto-activation) Conditions (auto-revocation), extensible Having vs delegating authority 1/3/2019
Demo - Signet - Granting 1/3/2019
Other features Assigning privileges to groups Designated drivers Groups may represent roles But Role management per se is a future concern Synergy with Grouper project Designated drivers Privilege granting proxy Acting proxy Notification 1/3/2019
Feature summary By authority of the Dean grantor principal investigators role (group) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects up to $100,000 limits until January 1, 2006 condition 1/3/2019
Privileges building blocks System view Permissions Business view Subsystems Categories Functions Scope Limits Prerequisites Conditions 1/3/2019
Function/Permissions 1/3/2019
Permissions integration - provisioning 1/3/2019
Permissions integration - infrastructure 1/3/2019
Signet components 1/3/2019 Yellow = institution provided
Auditing Logging History Subsystem and Assignment snapshots Reconciling Signet privileges with consumer privileges 1/3/2019
Project Status/Overview Core objects: Subsystem metadata - schema/api Scope tree - schema/api Subject - schema/api Assignment schema/api 1st alpha release, basic UI -- November 1, 2004 1/3/2019
Project Status/Overview Second tier features Limits and Proxy Integration connectors Lifecycle Conditions and Prerequisites Group assignments Metadata management UI 1/3/2019
Early Adopters Queens College, Ontario University of California, Davis University of Southern California 1/3/2019
For more information… The project web site: http://middleware.internet2.edu/signet/ Email list: signet@internet2.edu 1/3/2019