1 / 15

Lessons Learned from AuthZ Project an Authorization Center

Learn the driving forces, alumni email access policies, network access, and software download policies from CMU's Authorization Center.

kstone
Download Presentation

Lessons Learned from AuthZ Project an Authorization Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lessons Learned fromAuthZ Projectan Authorization Center Carnegie Mellon University Parviz Dousti

  2. Driving Forces • Alumni Email For Life • Central Administration of Policies

  3. Services • Network Access • Netreg • Dialup • VPN • Cluster Login Access • Portal Access • Library Access • Software Download • Email Access

  4. Policies • e.g: • Softdist: accounts where owner's affiliation is in {Faculty, Special Faculty, Staff} + accounts where owner's affiliation is Student and owner's SIS category is "Enrolled“. • Policy: accounts where owner's affiliation is in {Faculty, Special Faculty, Staff, Student} + accounts where owner's affiliation is Alum and owner's Student Class is "2004"

  5. Conceptual Design

  6. Priorities • Easiest for Applications and Services • Extensibility • Using Standards

  7. Why LDAP • Standard and unambiguous protocol • Already used by most apps. • Existing Authentication/Authorization Env. • Most policy attributes are already there

  8. LDAP at CMU • Openldap • Trigger Server • SQL(Oracle) backend

  9. Trigs

  10. SQL-back LDAP • Uses ODBC to contact an RDBM • Can add, modify, delete LDAP entries • LDAP users don't know the difference … So we can use RDBM to help with data consistency.

  11. First Design • Using LDAP Group Membership as Authorization • Service = Group • Maintaining static aclGroups • Using Oracle triggers • Using XACML for policy

  12. First Design

  13. First Design Problems • Notion of time not allowed in Policy • Policy/Attributes mapping • Oracle 9i and Java 1.4 • Transactional Problem

  14. Latest Design

  15. Latest Design • AuthZ queations: • isAuthorized • authorizedTo • allAuthorized • whenAuthorizedThen

More Related