1 / 14

Identity Management ( IdM )

Identity Management ( IdM ). Hattie Leary Anoka Hennepin School District Hattie.Leary@AHSchools.us. The Complexity of Identity Management ( IdM ). IdM Lifecycle. Prim ary Components Person It all starts with “the human” Provisioning Creates an electronic definition(s) of the person

chick
Télécharger la présentation

Identity Management ( IdM )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management(IdM) Hattie Leary Anoka Hennepin School District Hattie.Leary@AHSchools.us

  2. The Complexity of Identity Management (IdM)

  3. IdM Lifecycle Primary Components • Person • It all starts with “the human” • Provisioning • Creates an electronic definition(s) of the person • Authentication • Validates who you are • Authorization • Determines the rights to a system or application • Permissions • Once in an system/application, what rights do you have • Management and Maintenance • Password changes – Person changes • De-provisioning Person De-provisioning

  4. IdM Person • The human that starts the process • A person has “attributes” • Physical • Eye Color • Gender • Demographic • First Name and Last Name • Mailing Address • Phone Number • Occupational • Job Title • Job Assignments • Skill set • Note: Relationships are not new, but the number of relationships that a user has and types of relationships they have with other users and other things is rapidly growing.

  5. IdM Provisioning • Creates the person and identifiers • Gives person digital identity • Defines his/her group and role membership • Defines systems and accounts required • The process of providing users with access to applications and other resources that may be available in an enterprise environment.

  6. IdM Authentication • Validates the person’s identity • Really the user / user account • You prove who you are • Password • Answer personal questions • Can include multi-factor authentication • The user “presents” several separate pieces of evidence • Knowledge – (something they know) - passphrase • Possession (something they have) - password • Inherence (something they are) – finger print • Connected token – card readers and USB tokens • The process of verifying the identity claimed by an entity based on its credentials.

  7. Trusted 3rd Party • Request /w Token • Unauthenticated • Request • Data • Valid (+) • Credentials • Token • Token • User with • Device • Identity • Provider • Service • Provider

  8. Trusted 3rd Party • SAML (Shibboleth) • OpenID Connect (OAuth+) • SSL/TLS (Certificate Authority) • Kerberos (Active Directory)

  9. IdM Authorization • Determine right-to-access a system • Audit and security reporting • Manage system authorizations • The process of establishing a specific entitlement that is consistent with authorization policies

  10. IdM Permission • Determine access rights • Manage permissions • An access control instruction (ACI) has three parts: • Who can perform the operation. This is the entity who is being granted permission to do something; this is the actor. • What can be accessed. This defines the entry which the actor is allowed to perform operations on. This is the target of the access control rule. • What type of operation can be performed. The last part is determining what kinds of actions the user is allowed to perform. The most common operations are add, delete, write, read, and search

  11. Roles • Service • Providers Users Groups • SIS • LMS • Library • Transportation • LDAP • Hattie Leary • John Lovell • Teachers • Administrators • Staff • Students • Parent

  12. IdM Maintenance • Manage the changes to a person information (core person attributes) • Replication of person attributes to other systems as required • Users are dynamic—they change names, addresses, responsibilities and more. • Changes experienced by users in the physical world must be reflected by user objects on systems and applications

  13. IdM De-provisioning • Revoking permissions / authorizations based on current role(s) • Security controls (not sure what that is…) • Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed. • When users leave—termination, resignation, retirement, end of contract, end of customer relationship, etc. -- their access to systems and applications should likewise be deactivated.

  14. Hattie Leary • Hattie.Leary@ahschools.us • John W. Lovell • jlovell@a4l.org Contact Information:

More Related