1 / 41

CAMP: Building a Distributed Access Management Infrastructure

CAMP: Building a Distributed Access Management Infrastructure. Lynn McRae, Stanford University Denver, Nov 7-9, 2006. The Three Stages. Maximizing Identity Management Enriching Identity through Groups Better Policy Control through Privilege Management. The Three Stooges. Moe Larry Curly.

fuller
Télécharger la présentation

CAMP: Building a Distributed Access Management Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006

  2. The Three Stages • Maximizing Identity Management • Enriching Identity through Groups • Better Policy Control through Privilege Management

  3. The Three Stooges • Moe • Larry • Curly 3 2 1

  4. The Three Stages • Maximizing Identity Management • Integrate identities from Systems of Record • Common username & login credentials • Houses attributes for differential access • Enrich Identity through Groups • Users (departments, projects, individuals) define populations through membership in groups • Carried through infrastructure to enhance services • Policy Control by Privilege Management • Set/view privileges across systems • Adjust privileges to change in role and status • Decentralized control of centralized infrastructure

  5. Access Management • Each person’s online activities are shaped by many Sources of Authority • Institutional policy making bodies • Resource managers • Program/activity heads • Individuals • Self

  6. Distributed Access Management • Management of privileges should be distributed • Hook up all of Sources of Authority to the middleware • Common middleware infrastructure should be operated centrally • Departments/programs/activities/applications should not have to build their own core middleware • Resources should be shared through the infrastructure

  7. Overall model • Delegated model enables significant new audience • Contributes to Identity Management information to be used by others • Leverages Identity Management information, e.g., lifecycle control • Becomes a part of the infrastructure

  8. Three Stages • A CAMP conceit • Capabilities can evolve together • … but likely in this order • Each stage depends on strengths of stages before

  9. Three Stages • Identity Management is a necessary foundation • Success requires equal parts • Technical prowess • Institutional management support • Plus an architectural model • And a roadmap on how to get there

  10. Stage 1 - Identity Management • Insitutional policy is the main source that defines who people are, what they can do. • Managed in central business systems • Generally clear policy authorities • Registrar for students • HR/Personnel for employees • Faculty Affairs/Senate for Faculty • Comptroller/controller/bursar for finance • IT for system administration, etc.

  11. IdM - Governance • Governance by Policy Makers • Stewardship (custodianship) by IT • These roles must be in full partnership to serve the entire community • Business systems must focus on their needs • while IT adds value to the larger community • by providing access to this information • by allowing others to augment this information • by supporting ways to leverage this information

  12. IdM - the data • Solid identity matching • Enterprise data definitions • Consistent use of common data • Rules of precedence for multiple sources • … for multiple affiliations • … for affiliation transitional issues • Institutional roles …

  13. IdM - Institutional Roles • Faculty, Staff, Student • And variations -- faculty emeriti, casual staff, non-degree seeking students • As needed to support eligibility/privileges • Authoritative definitions materialized • Not source system data passed on for interpretation • Source systems retain business logic for generating access management categories

  14. IdM - Not just People! • Identity Management should include other entities • Organizations • Accounts (network namespace) • Space (buildings and rooms) • Even Groups!

  15. IdM - Delivering Information • Role of the infrastructure and middleware • Through publishing information in accessible technologies • LDAP • XML documents • Web Services • Warehouse • Tools for provisioning

  16. IdM - Integration • Transaction principles • Atomicity • Consistency • Isolation • Durability

  17. IdM - Integration • Integration Principles • Replayable • Re-integrate, on demand • Auditable • Able to verify accuracy, completeness • Idempotent • Multiple replays, in any order, lead to same result • Normative • Rules for conflict resolution, for “what should be”

  18. Stages 2 and 3 • Enabling other sources of identity and privileges • Addressing information gaps • Transparent participation in the full benefits of Identity Management sources infrastructure

  19. Stage 2 - Enriched by Groups • Membership -- a simple, accessible concept • Facility for school-, department-, project-, user-managed ad-hoc groups • Each contributor is an Identity Maker • Supplements/complements insitutional roles/groups • Inclusion/exclusion • Group math

  20. WIKI define BIO_X Email Lists define BioX Calendar define Bio-X allow BIO_X allow BioX allow Bio-X What about my team? …my project? …my senior staff? The Boss Stage 2 - Enriched by Groups Identity Management HR Affiliation: faculty Dept: Biology

  21. WIKI Email Lists Calendar allow Bio-X allow Bio-X allow Bio-X Grouper Stage 2 - Enriched by Groups Identity Management HR Affiliation: faculty Dept: Biology biology:bio-x biology:bio-x:admin biology:bio-x:staff The Boss

  22. CourseWare CS-313 grades Library CompSci resources Allow CS-313 allow CS teaching What about my TAs? … my auditors? … extensions/makeup? External Partner The Professor allow CS affiliates Stage 2 - Enriched by Groups HR Identity Management Affiliation: faculty Instructor: CS-313 SIS Courses Shib

  23. Library CompSci resources CourseWare CS-313 grades allow CS teaching Allow CS-313 Grouper External Partner allow CS affiliates Stage 2 - Enriched by Groups HR Identity Management Affiliation: faculty Instructor: CS-313 SIS Courses U Class:CS-313:TA = isMemberOf: CS-313 Shib The Professor

  24. Groups benefits • Delegated model of control • Enables ad-hoc group contributions down to individuals (personal groups) • Leveraged across technologies • Membership criteria for access rights • Calendar groups • .htaccess references • Email lists • Can leverage other identity management information

  25. Stage 3 - Privilege management • Brings privilege information together in one place • User access through a common UI • Program access through an API toolkit • Central granting applies across multiple systems • Central reporting, history, auditing, review • Accessible to managers AND holders of privileges • Integrated with IdM for lifecycle controls

  26. Reasons for Privilege Management • Implementation of related access rules is scattered across systems • different procedures, different contacts, managing changes across areas, over time • Coordinating policy and privileges across systems is difficult • Difficulty tracking privilege holders • Ending privileges is not well managed

  27. Athletic Facilities Printing Black board faculty, staff, student guest staff, guest student, guest “Friends are here from Europe!” Rula Lenska Privileges for Guest accounts Identity Management Guest IDs Affiliation: ??? Sib

  28. Black board Printing Athletic Facilities staff, guest faculty, staff, student guest student, guest Signet Grouper Privileges for Guest accounts Identity Management Guest IDs Affiliation: guest blackboard(music103) guest:student printing(max100) guest:staff athletic(gym,after5) effective date expiration date Rula Lenska

  29. Reporting Reimburse- ments Requisitions who can view who can approve who can spend Financial privileges Finance phone Identity Management email ticket Affiliation: staff “You too can be a millionaire!” The Donald

  30. Requisitions Reimburse- ments Reporting who can approve who can view who can spend Signet Financial privileges Finance Identity Management Accounts Affiliation: staff Depts Scope school:dept1 (view,all) school:dept2 (approve,1472,$100) while staff The Donald

  31. Reimburse- ments Requisitions Reporting who can spend who can approve who can view Signet Privileges & Groups Finance Identity Management Affiliation: staff school school:dept scope school:dept1 (view,all) school:dept:unit school:dept2 (approve,1472,$100) Grouper while staff The Donald

  32. Privilege management • Distributed management, delegated model of control • Enables schools, departments, projects, etc to define and manage privileges • Separates language of privileges (what someone can do) from language of systems (how they get enabled) • Provides transparency of control • Isolates users from system changes

  33. Back at 20,000 feet • Delegated model enables significant new audience • Enriching Identity Management leverages that data for significant benefits • Leveraging IdM provides granularity and lifecycle control • Groups and Privileges become commonplace in the infrastructure

  34. Tools for stage 2 or 3 • No commercial products, really • A few campus-built distributed group or privilege management solutions • Not packaged for implementation elsewhere • Ergo, the Grouper and Signet Projects • V1.0+ releases, open source

  35. Challenges of stage 2 or 3 • Integration • Governance/ownership • Support model, help desk, debugging

  36. For more information • http://grouper.internet2.edu • http://signet.internet2.edu • Open Source and evolving • Contact information • Email lists • Product web sites and WIKIs

More Related