Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland

Provisioning of Accounts For what services are "shell accounts" used? For what services are other provisioning methods used and what are they? –Most provisioning is via “shell accounts” –Some services are pre-provisioned Time and Attendance system for timesheet, automatically provisioned, based on presence in HRS Student registration system and personal information management, based on presence in SIS –Some services are provisioned upon initial use Umail - presence in the directory means user can “activate” the account automatically upon first use, which establishes home directory, password file entry, etc. New system will require activation via web page prior to first use

Provisioning (cont.) How are enterprise accounts created/deleted? –Everyone gets an employeenumber Never changes Includes student applicants, visiting/adjunct faculty, volunteers, other affiliates Used as part of the DN in our directory Initially tied to SSN, but allows for SSN changes Eight digits plus check digit –Everyone gets a Directory ID/ Unique ID Alphanumeric up to 8 characters Is assigned initially first initial, first 7 characters of last name (e.g. dhenry); digits used to make unique (e.g. jjohnso2) Vanity Ids are supported User may request a change up to once a year. When retired, ID won’t be reassigned for 12 months Some specific Ids are reserved forever

Provisioning (cont.) –Entries are added Faculty/Staff: Upon entry in HR system, includes future appointments Students: Upon “acceptance with letter sent” Others: May be sponsored by any of a number of approved offices. –Entries are deleted Faculty/Staff: 210 days after separation (an attribute is established to indicate a termination date for those apps that care) Students: After start of second semester of non-registration, treating summer as a semester. Others: Renewed annually by sponsor

Provisioning (cont.) How are other services provisioning mechanisms managed? –Lots of ways –Lots of admins How do you advise apps developers on which identifiers to use? –Use the employeenumber as internal ID (if possible) –Use the Directory ID for user auth’n –Don’t use empno or SSN

Provisioning (cont.) How are the identifiers for an individual's multiple accounts managed? –Currently, they’re not. –In some cases, ID’s depend on the directory ID or another system. –Passwords? Don’t ask.

Provisioning (cont.) System to manage IDs in cooperative –Admins Centrally register their system/service Indicate characteristics of eligibility (LDAP filter?) Specify mechanism for notifications (new account request, userid change, account delete, etc.) –User Goes to a central web page to see the systems and services they may request Activate systems/services –System Notify registered systems/services of change events – , URL (with Auth’n), Script

Authentication Practices What levels of services require what initial types of identity proofing? –UNIX shell accounts require in-person proofing w/student ID card –Privileged accounts require f2f –Access to certain information requires signed statement re: appropriate use What mechanisms are used for authentication? –Native authentication mechanism –Kerberos –LDAP compare

Authn (cont.) What is the hope for intercampus standards? –There needs to be some hope. –Shady Grove Campus Combination of system institutions All Faculty, Staff, and Students are from one of the other campuses. Courses from any campus apply. So far everything is handled by exception.

That’s IT David Henry OIT University of Maryland