Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003 Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware Architecture Comm. for Education (MACE) Internet2 Fall Member Meeting, Indianapolis, Oct. 15, 2003
15-Oct-03 1 Authorization related services: A broad vision and selected details UW-Madison as a concrete reference point for thinking Authorization thoughts
15-Oct-03 2 Core middleware services suite
15-Oct-03 3 Core middleware services suite Identity Mgmt Services
15-Oct-03 4 Core Middleware Services: Directory / Identity Mgmt. AuthZ Info Mgmt.: Internet2 Grouper, Stanford Authority (PrivGroups), UW-Msn PASE Source system a Source system b Source system c
15-Oct-03 5 Core middleware services suite Identity Mgmt Services Security Services AuthN / AuthZ…
15-Oct-03 6 Core Middleware Services: Authentication, Authorization,… AuthZ Info Access: Shibboleth (intra and inter-inst.) AuthN: LDAP bind; PKI
15-Oct-03 7 PASE: A system for managing authorization information A secure, delegated service to maintain and provide information about: Populations of interest to the university Affiliations (or roles) that a person has Services that members of a role get (i.e. what they are entitled to do)
15-Oct-03 8 PASE and authorization Typically, authorization decisions indicates whether a person or other principal is permitted to access a requested resource or invoke a requested service PASE is an authorization information management tool; it helps us manage key information needed for authorization processes PASE is the companion to our Identity Management System -- The University Directory Service (UDS)
15-Oct-03 9 Current Limitations: Handling all populations Having clearly defined affiliation information Applying and documenting rules about who gets what Getting timely information with which to make access control decisions Handling special populations
15-Oct Current limitations: handling special populations No system support for defining new types of affiliations Binary entitlement: Either a person gets all services or gets none No delegated management: For defining new groups of people For granting group members access to services Result: Difficult to add new groups
15-Oct What is needed: An authorization information system with: Flexibility to handle new services and population types without reprogramminng or other undo hassle Logical “single source” AuthZ info repository Secure, delegated administration A framework on which to implement policy
15-Oct PASE relates the correct entities for greater flexibility and scalability A sponsor (Source) person affiliation service provider who has registers which is mapped to which consists of which is owned by
15-Oct PASE, peer institutions and NMI/Internet2 Draws from pioneer efforts Stanford’s Authority system MIT’s Roles DB Internet2 Grouper WG On the cutting edge Similar efforts at some institutions We are one of the {b}leaders
15-Oct The non-technical aspects of PASE Interests of sponsors and service providers are often not fully aligned Need for a business process to agree on mappings between affiliations and service bundles New role for sponsors as a result of their greater control: advocate for populations in negotiations with service providers
15-Oct PASE Development: An Iterative Approach We intend to deliver PASE services in several phases. First cut: A Pilot To create the underlying structure end-to-end To provide many of the functions for managing entities and their relationships To manage risks (e.g., service disruption) To assess design choices and make adjustments with minimum impact
15-Oct PASE Pilot – Spec Auth Retirees Sponsor: Office of Human Resources Person (Population): Retiree bio/demo data Affiliation: Retirees Affiliation Types: UW-Madison, UW Extension, UW System Administration and UW Colleges Service Bundle: “Bucky Bundle” Services: UW Madison Libraries, My UW Madison Portal, UW Madison Photo Identification, UW Madison Recreational Sports, etc. Service Provider: Service Representatives
15-Oct PASE Pilot - Out of Pilot Scope General access to information, both to maintain the data and use the data for authorization decisions Negotiation between Sponsors and Service Providers Batch inputs
15-Oct What’s Next? Report the results of the pilot Capture current services’ authorization rules Define roles and responsibilities of the various players Refine the links to UDS Develop interfaces to service providers
15-Oct More on PASE /index.asp Scott Fullerton
15-Oct Identity Mgmt Services Security Services AuthN / AuthZ… What’s off this frame? Target-side: Evaluating authZ info and policies
15-Oct What’s off this frame? Target-side: processing authZ info and policies
15-Oct Appendix: PASE Terms Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process.
15-Oct PASE Terms (continued) Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data. Service Provider: The organizational entity responsible for a service. Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).