Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privilege Management: the Big Picture

Published byJasper Williams Modified over 5 years ago

Similar presentations

Presentation on theme: "Privilege Management: the Big Picture"— Presentation transcript:

1 Privilege Management: the Big Picture
nmi-edit Privilege Management: the Big Picture 2004 Advanced CAMP Authority Architectures Workshop Boulder, June 30, 2004 Lynn McRae Stanford University Copyright Lynn McRae, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 12/1/2018

2 The Path to Privilege Management
Local accounts, individuals mapped to permissions list Local accounts mapped to local groups mapped to permissions list Integration with external information -- affiliations, status, etc. Integration with institutional group/roles Centralized privilege management Taxonomy of methods for managing security 12/1/2018

3 PM -- Local accounts Individuals mapped to permissions list
No policy control and tracking Historically weak life-cycle controls Does not support cross-system privileges Magic elf -- that person who you write to to open a new account, you to update privileges, where help tickets get routed to to fix access. They work through product panels, or edit acls directly, a human element that can be prone to error. Supports an exception-driven process, you lose track of WHY a person has a permission -- was it because of a role or a special request, how long should it last…etc 12/1/2018

4 PM - Local accounts & groups
Local privileges grouped for categories of access If done well can reflect roles or policy But interpretation of policy across many systems Still not cross-system 12/1/2018

5 PM - External data Opportunity to automate lifecycle
“User” is for session/preferences, not control A start at roles-based authorization Rules for mapping relationships to permissions still implemented across systems 12/1/2018

6 PM -- Institutional groups & roles
Mapping people to groups is implemented once Consistency from common group definitions Improved roles-based authorization Applications still have local mapping to privileges 12/1/2018

7 PM - Central Management
Single implementation mapping person to privileges, or person to group to privileges Independent from specific systems & technologies Allows privileges to be shared across systems Central rules can be complex or simple, but done once; central priv management can operate against individuals or against the groups 12/1/2018

8 Role- vs Privilege-based AuthZ
Both approaches are viable, complementary Roles (cf. eduPersonIsMemberOf) Inter-realm, specific privileges vary in different contexts e.g. Instructor can submit grades at one site, readonly at another Eligibilility (can have) instead of authorization (can do) e.g. Faculty/Staff /Students get free from specific provider Privileges (cf. eduPersonEntitlement) Permissions should be the same across service providers Service providers do not need to know rules or reason behind authorization e.g. Building access regardless of why -- has office in building, taking class in building, authorized by building manager 12/1/2018

9 Central Privilege Management
A system independent source for defining and administering privilege data Central repository simplifies policy management and tracking Consistent application of rules across systems Levels of institutional commitment NOT an authorization service… A source of data for an authorization service Integrates with local system security Integrates with authorization mechanisms What is an authorization service? 12/1/2018

10 What is Signet? A Privilege Management System & toolkit
Software to define an organization’s privileges Software to manage privilege information A web user interface for distributed assigning and viewing privilege information Components/APIs for integrating with other systems NSF funded Internet2 /MACE project Part of AuthZ core middleware initiative 12/1/2018

11 Demo - Stanford Authority Manager home page
12/1/2018

12 Demo - Stanford Authority Manager home page
12/1/2018

13 Demo - Stanford Authority Manager - User view
12/1/2018

14 Demo - Stanford Authority Manager - Granting
12/1/2018

15 Demo - Stanford Authority Manager - Granting
12/1/2018

16 Demo - Stanford Authority Manager - Granting
12/1/2018

17 Demo - Stanford Authority Manager -Granting
12/1/2018

18 Demo - Stanford Authority Manager - Granting
12/1/2018

19 Demo - Stanford Authority Manager - Granting
12/1/2018

20 Demo - Stanford Authority Manager - Granting
12/1/2018

21 Demo - Stanford Authority Manager - User view
12/1/2018

22 Privileges building blocks
12/1/2018

23 Privileges building blocks
Business view Subsystems Categories Functions System view Entitlements Shared Scope, Limits Pre-requisites, Conditions 12/1/2018

24 Subsystems Highest unit of organization, defines domains of ownership and responsibility One built-in subsystem to manage other authority subsystems Reflect real world organizational boundaries and areas of responsibility Can be large or small 12/1/2018

25 Categories Group privileges into topics within a subsystem
Organize data logically for UI and reports Some control features, e.g., choose one vs choose many 12/1/2018

26 Function/Tasks/Entitlements
12/1/2018 financial_SQLGL:DelphiEnt_EN_GL_Inquiry

27 Scope Places privileges in a hierarchical context
Distributed delegation via a chain of authority “you can only give what you have” Independent of personnel hierarchy 12/1/2018

28 Limits One or more qualifiers for a privilege Choice types:
Numeric, ranges Single/multiple choice User input values, edited against domain of values Scoped limits -- things “owned” by items in a hierarchy Knows “less” or “fewer” for delegation 12/1/2018

29 Entitlement integration
12/1/2018

30 Assignment features Prerequisites (auto-activation) Conditions
(auto-revocation) Having vs delegating authority 12/1/2018

31 Assignment features Assigning privileges to groups XML output
Groups may represent roles But Role management per se is a future concern XML output Union of privileges, plus Privileges that you have as an individual Privileges you have via proxy Privileges via group membership 12/1/2018

32 Other features Designated drivers Notification Audit history
Authority granting proxy Acting proxy Notification Audit history 12/1/2018

33 Assignment example By authority of the Dean grantor
as soon as you are principal investigator role (group) and have completed training prerequisite you can approve purchases function in the School of Medicine scope for your research project up to $100,000 limits until January 1, 2006 condition 12/1/2018

34 For more information… The project web site: list: Magic elves drawing from intranet/fairy tales/fairytales/fairytales menu.html 12/1/2018

Download ppt "Privilege Management: the Big Picture"

Similar presentations

A Successful Help Desk Process for all IT Support

A Successful Help Desk Process for all IT Support
A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.

A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Chapter 6 Database Design

Chapter 6 Database Design
Procurement From the 20 th to the 21 st Century Copyright Byron Honoré 2007. This work is the intellectual property of the author. Permission is granted.

Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.
David Sweeney, Director Brooke Woodruff, IT Manager

David Sweeney, Director Brooke Woodruff, IT Manager
Easing into the paperless era with Workflow Managers Christopher Zorn, Brian Dadin, Frank Starmer IT Lab Medical University of South Carolina Copyright.

Easing into the paperless era with Workflow Managers Christopher Zorn, Brian Dadin, Frank Starmer IT Lab Medical University of South Carolina Copyright.
Western Illinois University - Electronic Student Services Copyright Statement Copyright Western Illinois University – Electronic Student Services 2001.

Western Illinois University - Electronic Student Services Copyright Statement Copyright Western Illinois University – Electronic Student Services 2001.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, 2004. This work is the intellectual.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory

Understanding Active Directory
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
Copyright © 2003, Scott Higgins and Marianne Hollis Copyright Statement This work is the intellectual property of the authors. Permission is granted for.

Copyright © 2003, Scott Higgins and Marianne Hollis Copyright Statement This work is the intellectual property of the authors. Permission is granted for.
Marywood University, Scranton, PA Small Staff– Big Demands : Computer Training and User Support in Higher Education Kay McClintock, M.S. Coordinator of.

Marywood University, Scranton, PA Small Staff– Big Demands : Computer Training and User Support in Higher Education Kay McClintock, M.S. Coordinator of.

Similar presentations

Ads by Google