1. Signet & Privilege Management
2004 Internet2 Spring Members meeting
Minh Nguyen, Lynn McRae
Stanford University
4/8/2019

2. What is the Signet project?
Internet2 /MACE project
NSF funded
Part of AuthZ core middleware initiative
A Privilege Management System and toolkit
Related work:
Recipe document derived from Stanford’s Authority Management experiences
Case studies on related authority practices
4/8/2019

3. Recipe topics Concepts Ingredients for success
External information dependencies, e.g., person data
Business processes
Lessons learned
Other case studies
4/8/2019

4. What is the Signet product?
Software to define an organization’s privilege system
Software to manage the privilege information
A web user interface for assigning and viewing privilege information
A schema to record privilege information
Components/APIs for integrating with other systems
4/8/2019

5. Signet and AuthZ An integrated source for administering privilege data
Not an authorization service
Integrates with authorization mechanisms
4/8/2019

6. Why Signet? System independent privilege management
Central repository of privilege data
Provides simplification of authority policy and management
Helps with consistent application of rules across systems
Supports role-based authority via groups
4/8/2019

7. Privileges building blocks
Business view
Subsystems
Categories
Functions
Tasks
System view
Entitlements
4/8/2019

8. Subsystems
Highest unit of organization, defines domains of ownership and responsibility
One built-in subsystem to manage other authority subsystems
Reflect real world organizational boundaries and areas of responsibility
Can be large or small
4/8/2019

9. Categories Group privileges into topics within a subsystem
Organize data logically for UI and reports
Some control features, e.g., choose one vs choose many
4/8/2019

10. Function/Tasks/Entitlements
4/8/2019

11. Entitlement integration
4/8/2019

12. Assignment scope Places privileges in a hierarchical context
Defines privilege umbrella
Distributed delegation via a chain of authority
“you can only give what you have”
Independent of personnel hierarchy
4/8/2019

13. Assignment building blocks
Limits
Simple limits, e.g., spending limit
Scoped limits -- applies to things “owned” by items in the hierarchy
Having vs delegating authority
4/8/2019

14. Assignment building blocks
Assigning privileges to groups
Groups may represent roles
Privileges that you have as an individual
Privileges via group membership
Prerequisites (auto-activation)
Conditions (auto-revocation)
4/8/2019

15. Assignment example As soon as you are principal investigator
role (group)
and have completed training
prerequisite
you can approve purchases
function
in the School of Medicine
scope
for your projects
up to $100,000
limits
until January 1, 2006
condition
4/8/2019

16. Other features Designated drivers Notification Audit history
Authority granting proxy
Acting proxy
Notification
Audit history
4/8/2019

17. Signet architecture Platform neutral -- Java
Component-based for maintainability and extensibility
Web-based user interface for easy access
Supports middleware standards, e.g. eduPerson
Will support End-to-End diagnostics
4/8/2019

18. Signet components
4/8/2019

19. Signet technologies J2EE technologies RDBMS for persistent store XML
JSP and Servlet
JDBC
JNDI
No Entity EJB
RDBMS for persistent store
Database neutral--ANSI SQL access
Object/relational mapping framework, e.g., Hibernate
XML
4/8/2019

20. Project participants Development partners Early adopters
“Open source” development model
Design specification participants
Code contributions, e.g., connectors
Early adopters
Variety of business needs
Variety of technical environments
4/8/2019

21. For more information…
The project web site:
list:
Advanced camp authority architecture workshop, June 30-July 2
4/8/2019