220 likes | 322 Vues
Privilege Management with Signet: Steps to an Application. Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04. UW-Madison ASAP (Access to Systems Authorization Process). Chose this project because it has manageable scope for discussion purposes
 
                
                E N D
Privilege Management with Signet:Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04
UW-Madison ASAP (Access to SystemsAuthorization Process) • Chose this project because it has manageable scope for discussion purposes • Use pre-Version 1.0 Signet deliverables from Phases 1-3. See draft Signet Toolkit Roadmap: http://middleware.internet2.edu/signet/docs/ internet2-mace-signet-roadmap-00.html 2
ASAP (Access to SystemsAuthorization Process) Vision • The current system for granting access to our enterprise systems (3270 transactions, ISIS, etc) is a laborious paper routing system. • This system relies on one person (Karen L.) for routing of paper authorization forms to all data custodians and for all data custodians to "sign off" on all requests. • The ASAP system would replace the paper routing system with a web based workflow engine. 3
ASAP (Access to SystemsAuthorization Process) • See the draft Privilege Management Recipe at http://middleware.internet2.edu/signet/ “PM separates the management of privileges from the interpretation or application of them.” “It does this through a central, shared repository of privilege information where privileges can be managed independent of any specific system or technology that needs it.” 4
ASAP workflow Grantor Biz Func Custodian Employee 5
ASAP workflow Grantor Biz Func Custodian Employee 6
ASAP workflow Grantor Biz Func Custodian Employee 7
ASAP workflow Grantor Custodian Biz Func Employee 8
ASAP workflow Grantor Custodian Biz Func Employee 9
ASAP workflow Grantor Custodian Biz Func Employee 10
ASAP • A workflow process for granting access to applications appropriate to an employee’s business functions • Workflow steps (happy path): • Grantor assigns business function to employee, but function has entitlements that requires approval by data custodian (a prerequisite) • Entitlements needed by employee to perform business function are approved by data custodian • Employee is granted appropriate access in all relevant systems 11
Business Function • Per Privilege Management Recipe: • “Somewhere between a job which has many responsibilities, and a system permission to perform an operation such as updating a table in a database.” • Example Business Functions in ASAP: • Departmental HR administration • Course Timetable administration • Financial Aid administration 12
Entitlement • Per Privilege Management Recipe: • “The atomic units of authority control, representing specific operations...” • Example Entitlements in ASAP for Departmental HR Administration: • Hiring • Reclass • Maintain leave information 13
Implementing ASAP • Analysis task one: Define the suite of business functions and their entitlements • Make the implicit explicit: Departmental HR people do Staff Management. Oh, and Leave and Benefits admin. • Make the specific more general: Department level and College level HR staff business functions really differ only in scope of authority • Specify the entitlements needed to perform each business function • Specify limits and prerequisites on entitlements 14
Implementing ASAP: A Wrinkle • Analysis task two: How to handle the two-step process of grant from above and approval by custodian • One Signet-based approach: grant to custodians all the access entitlements within scope of their area of custodianship • Now custodians can grant subsets of their privileges to employees • Employees get all they need from union of privileges from original grantor and custodian 15
Implementing ASAP • Development task one: Design and deploy a registry for the organizational hierarchy • For us, this would be based on the widely used UDDS codes (Unit, Division, Department and SubDepartment) • Development task two: Deploy Signet and wire it to infrastructure including person and organizational registries 16
Implementing ASAP with Signet: Bootstrap Phase • Implementation task one: Business analyst enters defined business functions and assigns initial bootstrap grantor • Task two: Bootstrap grantor delegates privileges to other grantors including custodians (grant-only flavor when appropriate vs. grant and/or exercise) 17
Approaching ASAP via Signet • Design so that grantor uses Signet to grant business functions to employees (but with the prerequisite of custodial approval) • That would be designed to add items to the Signet assignment document(!) such as “Give Joanne the entitlements she needs to perform the job function of departmental HR administrator in the Molecular Biology Department” 18
Approaching ASAP via Signet • The ASAP development team designs a component that regularly scans the Signet assignment document for entitlements that need data custodian approval • And formats approval requests and puts them in the workflow queue. • The data custodian grants the needed privileges • After approval, the prerequisite is updated in Signet (via API!) 19
Approaching ASAP via Signet • The employee’s privilege document now shows their new entitlements with prerequisites met • Through provisioning, these entitlements flow to the applications and systems in question • The employee has access to all the screens and data views they need • Karen L. can go back to her fiends in the woodlands 20
Enhancing ASAP via Signet • Auto-provisioning of application-level access controls based on privilege document • Move to an event bus approach to route “privilege management events” to subscribing apps to approach near real time PM • … 21
Q & A 22