1 / 10

Provisioning of Services Authentication Requirements

Provisioning of Services Authentication Requirements. David Henry Office of Information Technology University of Maryland dhenry@umd.edu. Provisioning of Accounts. For what services are "shell accounts" used? For what services are other provisioning methods used and what are they?

april
Download Presentation

Provisioning of Services Authentication Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland dhenry@umd.edu

  2. Provisioning of Accounts • For what services are "shell accounts" used? For what services are other provisioning methods used and what are they? • Most provisioning is via “shell accounts” • Some services are pre-provisioned • Time and Attendance system for timesheet, automatically provisioned, based on presence in HRS • Student registration system and personal information management, based on presence in SIS • Some services are provisioned upon initial use • Umail - presence in the directory means user can “activate” the account automatically upon first use, which establishes home directory, password file entry, etc. • New email system will require activation via web page prior to first use

  3. Provisioning (cont.) • How are enterprise accounts created/deleted? • Everyone gets an employeenumber • Never changes • Includes student applicants, visiting/adjunct faculty, volunteers, other affiliates • Used as part of the DN in our directory • Initially tied to SSN, but allows for SSN changes • Eight digits plus check digit • Everyone gets a Directory ID/ Unique ID • Alphanumeric up to 8 characters • Is assigned initially first initial, first 7 characters of last name (e.g. dhenry); digits used to make unique (e.g. jjohnso2) • Vanity Ids are supported • User may request a change up to once a year. • When retired, ID won’t be reassigned for 12 months • Some specific Ids are reserved forever

  4. Provisioning (cont.) • Entries are added • Faculty/Staff: Upon entry in HR system, includes future appointments • Students: Upon “acceptance with letter sent” • Others: May be sponsored by any of a number of approved offices. • Entries are deleted • Faculty/Staff: 210 days after separation (an attribute is established to indicate a termination date for those apps that care) • Students: After start of second semester of non-registration, treating summer as a semester. • Others: Renewed annually by sponsor

  5. Provisioning (cont.) • How are other services provisioning mechanisms managed? • Lots of ways • Lots of admins • How do you advise apps developers on which identifiers to use? • Use the employeenumber as internal ID (if possible) • Use the Directory ID for user auth’n • Don’t use empno or SSN

  6. Provisioning (cont.) • How are the identifiers for an individual's multiple accounts managed? • Currently, they’re not. • In some cases, ID’s depend on the directory ID or another system. • Passwords? Don’t ask.

  7. Provisioning (cont.) • System to manage IDs in cooperative • Admins • Centrally register their system/service • Indicate characteristics of eligibility (LDAP filter?) • Specify mechanism for notifications (new account request, userid change, account delete, etc.) • User • Goes to a central web page to see the systems and services they may request • Activate systems/services • System • Notify registered systems/services of change events • E-Mail, URL (with Auth’n), Script

  8. Authentication Practices • What levels of services require what initial types of identity proofing? • UNIX shell accounts require in-person proofing w/student ID card • Privileged accounts require f2f • Access to certain information requires signed statement re: appropriate use • What mechanisms are used for authentication? • Native authentication mechanism • Kerberos • LDAP compare

  9. Authn (cont.) • What is the hope for intercampus standards? • There needs to be some hope. • Shady Grove Campus • Combination of system institutions • All Faculty, Staff, and Students are from one of the other campuses. • Courses from any campus apply. • So far everything is handled by exception.

  10. That’s IT David Henry OIT University of Maryland

More Related