410 likes | 542 Views
CAMP: Building a Distributed Access Management Infrastructure. Lynn McRae, Stanford University Denver, Nov 7-9, 2006. The Three Stages. Maximizing Identity Management Enriching Identity through Groups Better Policy Control through Privilege Management. The Three Stooges. Moe Larry Curly.
E N D
CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006
The Three Stages • Maximizing Identity Management • Enriching Identity through Groups • Better Policy Control through Privilege Management
The Three Stooges • Moe • Larry • Curly 3 2 1
The Three Stages • Maximizing Identity Management • Integrate identities from Systems of Record • Common username & login credentials • Houses attributes for differential access • Enrich Identity through Groups • Users (departments, projects, individuals) define populations through membership in groups • Carried through infrastructure to enhance services • Policy Control by Privilege Management • Set/view privileges across systems • Adjust privileges to change in role and status • Decentralized control of centralized infrastructure
Access Management • Each person’s online activities are shaped by many Sources of Authority • Institutional policy making bodies • Resource managers • Program/activity heads • Individuals • Self
Distributed Access Management • Management of privileges should be distributed • Hook up all of Sources of Authority to the middleware • Common middleware infrastructure should be operated centrally • Departments/programs/activities/applications should not have to build their own core middleware • Resources should be shared through the infrastructure
Overall model • Delegated model enables significant new audience • Contributes to Identity Management information to be used by others • Leverages Identity Management information, e.g., lifecycle control • Becomes a part of the infrastructure
Three Stages • A CAMP conceit • Capabilities can evolve together • … but likely in this order • Each stage depends on strengths of stages before
Three Stages • Identity Management is a necessary foundation • Success requires equal parts • Technical prowess • Institutional management support • Plus an architectural model • And a roadmap on how to get there
Stage 1 - Identity Management • Insitutional policy is the main source that defines who people are, what they can do. • Managed in central business systems • Generally clear policy authorities • Registrar for students • HR/Personnel for employees • Faculty Affairs/Senate for Faculty • Comptroller/controller/bursar for finance • IT for system administration, etc.
IdM - Governance • Governance by Policy Makers • Stewardship (custodianship) by IT • These roles must be in full partnership to serve the entire community • Business systems must focus on their needs • while IT adds value to the larger community • by providing access to this information • by allowing others to augment this information • by supporting ways to leverage this information
IdM - the data • Solid identity matching • Enterprise data definitions • Consistent use of common data • Rules of precedence for multiple sources • … for multiple affiliations • … for affiliation transitional issues • Institutional roles …
IdM - Institutional Roles • Faculty, Staff, Student • And variations -- faculty emeriti, casual staff, non-degree seeking students • As needed to support eligibility/privileges • Authoritative definitions materialized • Not source system data passed on for interpretation • Source systems retain business logic for generating access management categories
IdM - Not just People! • Identity Management should include other entities • Organizations • Accounts (network namespace) • Space (buildings and rooms) • Even Groups!
IdM - Delivering Information • Role of the infrastructure and middleware • Through publishing information in accessible technologies • LDAP • XML documents • Web Services • Warehouse • Tools for provisioning
IdM - Integration • Transaction principles • Atomicity • Consistency • Isolation • Durability
IdM - Integration • Integration Principles • Replayable • Re-integrate, on demand • Auditable • Able to verify accuracy, completeness • Idempotent • Multiple replays, in any order, lead to same result • Normative • Rules for conflict resolution, for “what should be”
Stages 2 and 3 • Enabling other sources of identity and privileges • Addressing information gaps • Transparent participation in the full benefits of Identity Management sources infrastructure
Stage 2 - Enriched by Groups • Membership -- a simple, accessible concept • Facility for school-, department-, project-, user-managed ad-hoc groups • Each contributor is an Identity Maker • Supplements/complements insitutional roles/groups • Inclusion/exclusion • Group math
WIKI define BIO_X Email Lists define BioX Calendar define Bio-X allow BIO_X allow BioX allow Bio-X What about my team? …my project? …my senior staff? The Boss Stage 2 - Enriched by Groups Identity Management HR Affiliation: faculty Dept: Biology
WIKI Email Lists Calendar allow Bio-X allow Bio-X allow Bio-X Grouper Stage 2 - Enriched by Groups Identity Management HR Affiliation: faculty Dept: Biology biology:bio-x biology:bio-x:admin biology:bio-x:staff The Boss
CourseWare CS-313 grades Library CompSci resources Allow CS-313 allow CS teaching What about my TAs? … my auditors? … extensions/makeup? External Partner The Professor allow CS affiliates Stage 2 - Enriched by Groups HR Identity Management Affiliation: faculty Instructor: CS-313 SIS Courses Shib
Library CompSci resources CourseWare CS-313 grades allow CS teaching Allow CS-313 Grouper External Partner allow CS affiliates Stage 2 - Enriched by Groups HR Identity Management Affiliation: faculty Instructor: CS-313 SIS Courses U Class:CS-313:TA = isMemberOf: CS-313 Shib The Professor
Groups benefits • Delegated model of control • Enables ad-hoc group contributions down to individuals (personal groups) • Leveraged across technologies • Membership criteria for access rights • Calendar groups • .htaccess references • Email lists • Can leverage other identity management information
Stage 3 - Privilege management • Brings privilege information together in one place • User access through a common UI • Program access through an API toolkit • Central granting applies across multiple systems • Central reporting, history, auditing, review • Accessible to managers AND holders of privileges • Integrated with IdM for lifecycle controls
Reasons for Privilege Management • Implementation of related access rules is scattered across systems • different procedures, different contacts, managing changes across areas, over time • Coordinating policy and privileges across systems is difficult • Difficulty tracking privilege holders • Ending privileges is not well managed
Athletic Facilities Printing Black board faculty, staff, student guest staff, guest student, guest “Friends are here from Europe!” Rula Lenska Privileges for Guest accounts Identity Management Guest IDs Affiliation: ??? Sib
Black board Printing Athletic Facilities staff, guest faculty, staff, student guest student, guest Signet Grouper Privileges for Guest accounts Identity Management Guest IDs Affiliation: guest blackboard(music103) guest:student printing(max100) guest:staff athletic(gym,after5) effective date expiration date Rula Lenska
Reporting Reimburse- ments Requisitions who can view who can approve who can spend Financial privileges Finance phone Identity Management email ticket Affiliation: staff “You too can be a millionaire!” The Donald
Requisitions Reimburse- ments Reporting who can approve who can view who can spend Signet Financial privileges Finance Identity Management Accounts Affiliation: staff Depts Scope school:dept1 (view,all) school:dept2 (approve,1472,$100) while staff The Donald
Reimburse- ments Requisitions Reporting who can spend who can approve who can view Signet Privileges & Groups Finance Identity Management Affiliation: staff school school:dept scope school:dept1 (view,all) school:dept:unit school:dept2 (approve,1472,$100) Grouper while staff The Donald
Privilege management • Distributed management, delegated model of control • Enables schools, departments, projects, etc to define and manage privileges • Separates language of privileges (what someone can do) from language of systems (how they get enabled) • Provides transparency of control • Isolates users from system changes
Back at 20,000 feet • Delegated model enables significant new audience • Enriching Identity Management leverages that data for significant benefits • Leveraging IdM provides granularity and lifecycle control • Groups and Privileges become commonplace in the infrastructure
Tools for stage 2 or 3 • No commercial products, really • A few campus-built distributed group or privilege management solutions • Not packaged for implementation elsewhere • Ergo, the Grouper and Signet Projects • V1.0+ releases, open source
Challenges of stage 2 or 3 • Integration • Governance/ownership • Support model, help desk, debugging
For more information • http://grouper.internet2.edu • http://signet.internet2.edu • Open Source and evolving • Contact information • Email lists • Product web sites and WIKIs