160 likes | 462 Views
Identity Management ( IdM ). Hattie Leary Anoka Hennepin School District Hattie.Leary@AHSchools.us. The Complexity of Identity Management ( IdM ). IdM Lifecycle. Prim ary Components Person It all starts with “the human” Provisioning Creates an electronic definition(s) of the person
E N D
Identity Management(IdM) Hattie Leary Anoka Hennepin School District Hattie.Leary@AHSchools.us
IdM Lifecycle Primary Components • Person • It all starts with “the human” • Provisioning • Creates an electronic definition(s) of the person • Authentication • Validates who you are • Authorization • Determines the rights to a system or application • Permissions • Once in an system/application, what rights do you have • Management and Maintenance • Password changes – Person changes • De-provisioning Person De-provisioning
IdM Person • The human that starts the process • A person has “attributes” • Physical • Eye Color • Gender • Demographic • First Name and Last Name • Mailing Address • Phone Number • Occupational • Job Title • Job Assignments • Skill set • Note: Relationships are not new, but the number of relationships that a user has and types of relationships they have with other users and other things is rapidly growing.
IdM Provisioning • Creates the person and identifiers • Gives person digital identity • Defines his/her group and role membership • Defines systems and accounts required • The process of providing users with access to applications and other resources that may be available in an enterprise environment.
IdM Authentication • Validates the person’s identity • Really the user / user account • You prove who you are • Password • Answer personal questions • Can include multi-factor authentication • The user “presents” several separate pieces of evidence • Knowledge – (something they know) - passphrase • Possession (something they have) - password • Inherence (something they are) – finger print • Connected token – card readers and USB tokens • The process of verifying the identity claimed by an entity based on its credentials.
Trusted 3rd Party • Request /w Token • Unauthenticated • Request • Data • Valid (+) • Credentials • Token • Token • User with • Device • Identity • Provider • Service • Provider
Trusted 3rd Party • SAML (Shibboleth) • OpenID Connect (OAuth+) • SSL/TLS (Certificate Authority) • Kerberos (Active Directory)
IdM Authorization • Determine right-to-access a system • Audit and security reporting • Manage system authorizations • The process of establishing a specific entitlement that is consistent with authorization policies
IdM Permission • Determine access rights • Manage permissions • An access control instruction (ACI) has three parts: • Who can perform the operation. This is the entity who is being granted permission to do something; this is the actor. • What can be accessed. This defines the entry which the actor is allowed to perform operations on. This is the target of the access control rule. • What type of operation can be performed. The last part is determining what kinds of actions the user is allowed to perform. The most common operations are add, delete, write, read, and search
Roles • Service • Providers Users Groups • SIS • LMS • Library • Transportation • LDAP • Hattie Leary • John Lovell • Teachers • Administrators • Staff • Students • Parent
IdM Maintenance • Manage the changes to a person information (core person attributes) • Replication of person attributes to other systems as required • Users are dynamic—they change names, addresses, responsibilities and more. • Changes experienced by users in the physical world must be reflected by user objects on systems and applications
IdM De-provisioning • Revoking permissions / authorizations based on current role(s) • Security controls (not sure what that is…) • Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed. • When users leave—termination, resignation, retirement, end of contract, end of customer relationship, etc. -- their access to systems and applications should likewise be deactivated.
Hattie Leary • Hattie.Leary@ahschools.us • John W. Lovell • jlovell@a4l.org Contact Information: