Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

Published byLauren Dalton Modified over 10 years ago

Similar presentations

Presentation on theme: "Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill."— Presentation transcript:

1 Centralized Application Permissions Privilege Management Nate Klingenstein ndk@internet2.edu 30 January 2007 OGF 19 Chapel Hill

2 The Saga Getting applications to relinquish authentication is pretty hard Getting applications to relinquish attribute control is harder Getting applications to relinquish control of authorizations… (fine print: do so in an inter-realm context too)

3 The Applications Have a Point Identity-based functions often live deep inside the application –How can you better identify and handle my authorization needs than me? –Why do I have to consult you when my application makes a decision? –Why do I need to work with you every time I want to change my permission definitions? Application databases and directories have worked great for years

4 The IT Guys Also Have a Point Theres tremendous duplication of effort Distributed information is more likely to be compromised Users can barely take care of one set of information, privileges, or credentials This is all weve got to live for –So we do it well Auditors exist, and also do it well –Compliance

5 Privilege Centralization Considerations Broader applicability –Granularity again How precise is your privilege definition? How many other source and destination systems could share your definition? The same questions apply when deciding whether to federate privileges –Intra-realm SSO & centralization is a subset of federated identity; the same tools should handle both

6 Privileges vs. Attributes vs. Groups We can instinctually determine what the difference is In digital systems, the distinction is less clear Is the difference only semantic? –Formats? –Management? How do these structures in source systems line up with those in apps?

7 Privileges Based on Attributes Were all familiar with privileges based on attributes –VOMS –Standard Shibboleth How do permissions based on attributes differ from individual privileges? –Grouping of permissions –Granularity RBAC models –MIT –NIST –Stanford –Etc.

8 Privileges vs. Attributes vs. Groups Redundancy and security requirements Transport protocols, profiles, bindings, formats –How much can you squeeze into SAML? –XACML transport

9 What does a Privilege Look Like? XACML Signet eduPersonEntitlement URL & value

10 Privileges for Applications What do you deliver to an application? Is a boolean good enough? If not, what do you consume? What can your authorization system provide? –What can your partners provide?

11 Introducing Signet Centralized privilege management system Supports privilege: –Issuance –Reissuance –Prohibition of reissuance –Delegation –Prohibition of Delegation More information forthcoming…

12 Integrating Privilege Systems with Applications What data format do applications want? –Conditions –Variables Push, or pull? –Protocols When? –Freshness vs. Frustration –Caching? How do you define the appropriate central data structures?

13 Grid Permissions Are there sufficiently common privilege requirements across grids that we can: –Pick a format for consumers? –Define a vocabulary and naming style? –Build one or more templates? –Standardize a basic set? How is this expressed in a form the grid can use? –VOMS Attributes?

14 Integrating Signet with Signets Dr. Jean Blue is a professor at Sandstone University and a PI of VORTEX, a virtual organization. As a PI of VORTEX, she has many VORTEX privileges and wants to administer them consistently across a variety of environments. She wants to assign her students permission to read one of the VORTEX mass- hypometers; etc. At what level do you connect the systems? With what data harmonization? Which transport mechanisms? –Which transport formats? How do they synchronize? Authorize?

15 Any Questions? Nate Klingenstein ndk@internet2.edu

Download ppt "Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill."

Similar presentations

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) 632-0294 January 09, 2007.

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.
All About Attributes (in federated identity) Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

All About Attributes (in federated identity) Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

Similar presentations

Ads by Google