Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.

Slides:

Advertisements

Similar presentations

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Advertisements

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Information Technology and Computing Services One Stop East Carolina University Kari Mills New Technologies Development Group Empowering East Carolina.

Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.

1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 The Evolving Definition of "Student": Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.

1 Penn State’s Identity & Access Management Initiative “It’s all about who you know … and what you know about them”

Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

1 MAIS Student Administration Advisory Group Meeting #31 October 4, 2006.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Student Information system

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Peer Information Security Policies: A Sampling Summer 2015.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

Deciding Who’s on First?: Establishing the Identity Management Leadership Group October 11, 2006 Dallas.

NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy

Enterprise IT Decision Making

Identity and Access Management PM COP Forum May 20, 2014Tuesday10100 AMLamont Library.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,

Group Management at Brown James Cramton Brown University April 24, 2007.

Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.

University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy

University of Michigan Enterprise Directory Services Appendix A Conceptual Architecture.

Portal Development – “A day at a time” Director’s Seminar Wed August 8, 2001 Annie Stunden - CIO John Peterson - Dir. PS Division of Information Technology.

IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.

December 2001 Internet2 Virtual Briefing - 1 -Stanford University Authority Registry December 12, 2001 Stanford University Lynn McRae.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

Kuali Days :: Chicago May Kuali Student Presentation on  Person Identity Module  Curriculum Management Module.

Directory Policy, Privacy, etc. David Millman – Columbia Keith Hazelton – Wisconsin et al.

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

SHORTER COLLEGE Assessment Week Sponsored by the Office of Institutional Effectiveness and Assessment & the Division of Academic Affairs.

Outsourcing Student at USC Institute for Computer Policy and Law Cornell University, August 2008 Asbed Bedrossian Director of Enterprise Applications.

Grouper at Duke Klara Jelinkova, Duke University Shilen Patel, Duke University Internet 2 Fall Meeting San Diego 2007.

Inventory & Monitoring Program SharePoint Permissions Who has access? What can they do with the access? What is the easiest way to manage the permissions?

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Janus Project Update Planning Group April 6, 2000.

Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.

Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

1 EDUCAUSE Mid-Atlantic Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

University of Southern California Identity and Access Management (IAM)

Group Services CIO Council Update

UW-Madison. BUILDING A DISTRIBUTED ACCESS MANAGEMENT INFRASTRUCTURE Reports from the Real World.

Module 8: Securing Network Traffic by Using IPSec and Certificates

Current Campus Issues – From My Horizon

University of Southern California Identity and Access Management (IAM)

Identity Management at the University of Florida

Module 8: Securing Network Traffic by Using IPSec and Certificates

Information Technology Organization Overview RFP #220-05

Presentation transcript:

Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005

2 Presentation Overview Drivers for role management at UW- Madison But what’s it going to take? The Populations, Affiliations & Service Entitlements (PASE) project –Architecture & Design –Infrastructure –Functionalities –Governance –Status & next steps Relationship to I2 Signet/Grouper

3 Driver #1: Identity Management “Cradle to Endowment” - Applicants, parents, students, staff, faculty, alumni, retirees, applicants, donors, visitors, guests, etc. Managed case by case in Special Authorization system

4 Driver #2: Access to Services Need to provide select services to extended institutional community but: “All or nothing” service entitlement based on credentials –Not clear who gets what services –Services with varied risk and load tolerance

5 Driver #3: Enterprise portal - “One stop shopping” concept - registration, enrollment, earning statements, library services, calendar, , etc. Affiliation and service lifecycle issues

6 Driver #4: Challenge or Opportunity? Seeking a strategic approach to an enterprise-wide problem Organizational, cultural, technical issues: –Who decides priorities? –Who decides policies? –“Who ya gonna trust?”

7 What’s it going to take? New institutional territory Clarify leadership and decision-making roles Strategic rather than “band aid approach”

8 CIO Office: Challenge & Opportunity #1 Undergraduate Applicants can access financial aid and admission status in the enterprise portal. They do not get any other services until they enroll and change status to Student.

9 CIO Office: Challenge & Opportunity #2 The Biology 105 affiliation aggregates all students taking Biology 105 course sections. This affiliation has access to the course management system, portal, calendar and library e-reserves.

10 #3, #4, #5 ………. A visiting professor needs access to the network and course management system. UW Hospital Employees need access to Parking application. UW Connections Students get almost the same services as UW- Madison students. …………………….

11 What’s it going to take? Define, represent, and manage lifecycle of affiliations Support ad-hoc as well as institutional affiliations Support delegated administration Separate AuthN/Z processes Determine who gets what Offer services selectively

12 What’s it going to take? Engage stakeholders, work collaboratively Establish appropriate governance

13 Populations, Affiliations & Service Entitlements (PASE) Initiated in 2002 Pilot with “Retirees” affiliation in 2003 Phase 1 Implementation: “PA” (Populations, Affiliations) in 2004/5 Phase 2 Implementation : “SE” and Interfaces in 2005/06

14 Reflecting the business process A sponsor (Source) person affiliation service provider who has registers which is mapped to which consists of which is owned by service bundle

15 Reflecting the business process: Undergrad Applicants Office of Admissions person Affiliation Of Undergrad Applicant Portal Access who has registers which is mapped to which consists of which is owned by service bundle Division of Information Technology

16 PASE Infrastructure Had to reengineer our University Directory Service (UDS) person registry

17

18 UDS v3 Separated identity and role management functions Standardized source feeds Put affiliation definition back in source systems Abstracted business logic from code

19 Source Systems ISIS Students Instructors Advisors Applicants UDS v3 Source Systems Union Parking Services Rec Sports Libraries UW-MSN University Directory Service v3

20 PASE System Oracle tables: PL/SQL functions Interfaces –Java for user interfaces –Web services Shibboleth

21 PASE Functions Create Delete Enable Disable Assign person to Add attribute to Remove attribute from  Affiliation  Service

22 PASE Affiliation & Service Management Entitlement: Map Services to Affiliations Query Functions –Is Eligible? –Is Member of Affiliation? -List affiliations/services by members or owners -Get service/affiliation

23

24 Governance Requested by campus at PASE campus forum –PASE Policy Group Identity Management Leadership Group formed Jan Charged by Provost and CBO Led by Data Custodians Focus - IdM, PASE, Access to Data and Smart Card Initiatives

25 Governance IMLG membership: –Registrar (co-chair) –Director of HR (co-chair) –Head of Libraries –Director of Facilities –Chief of UW Police –Director of UW-MSN Union –Head of Continuing Studies –CIO Office/Division of IT

26 Governance Process Meets monthly Charges sub groups with deliberating on and presenting policies: –PASE Policy Working Group –PASE User Interface WG –PASE New Hires WG –One ID Card WG –Access to UDS Data WG

27 PASE Policies & Processes Role of agents: sponsor, service providers, IMLG, administrators Institutional vs.. other affiliations and services Process for service entitlement negotiation Security Framework: –Authorization –Session management, etc.

28 1.Technical 2.Functional 3.Policy PASE Project Team PASE User Interface 4.Governance PASE Policy PASE New Hires Identity Mgmt Leadership Group As seen by Mairéad

29 1.Governance 2.Policy 3.Functional PASE Project Team PASE User Interface 4.Technical PASE Policy Identity Mgmt Leadership Group As seen by Carrie PASE New Hires

30 PASE Phase II ( ) System development: –Service and entitlement engine –PASE interfaces: provisioners, connectors, user interfaces –Infrastructures PASE policies and processes Security framework

31 Relationship to Internet2 Signet/Grouper PASE predates Signet/Grouper efforts - not around when we got started in 2002/03 PASE enterprise-wide system PASE not a separate registry but integral to our UDS registry Looking at Grouper APIs

32 Contact Info Mair é ad Martin Carrie Regenstein

33 PASE Glossary Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. Entitlement: Association of an affiliation with a service. Population: Registered persons or persons that can be identified by means of a Publicly Visible Identifier (PVI).

34 PASE Glossary Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process. Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data.

35 PASE Glossary Service Provider: The organizational entity responsible for a service. Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).