1 / 17

PASE

PASE. Authorization Information Middleware Spring CSG 2004. PASE: A system for managing authorization information. A secure, delegated service to maintain and provide information about: P opulations of interest to the university A ffiliations (or roles) that a person has

plato
Download Presentation

PASE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PASE Authorization Information Middleware Spring CSG 2004

  2. PASE: A system for managing authorization information A secure, delegated service to maintain and provide information about: Populations of interest to the university Affiliations (or roles) that a person has Services that members of a role get (i.e. what they are entitled to do) P A S E CSG Spring 2004

  3. PASE, peer institutions and NMI/Internet2 • Draws from pioneer efforts • Stanford’s Authority system • MIT’s Roles DB • Aligning with NMI/Internet2 projects • Grouper WG • Signet WG CSG Spring 2004

  4. PASE and authorization • An authorizationinformation management tool; • It manages key information needed for authorization processes • The companion to our Identity Management System • The University Directory Service (UDS) CSG Spring 2004

  5. Evolutionary driver:Limitations with the established population • Inadequate handling of affiliation information • Difficulty applying and documenting rules about who gets what • Lack of timely information for service providers CSG Spring 2004

  6. Evolutionary driver (cont):Limitations with special populations • Fixed set of “specials” • Limited, binary, entitlement • all or none • No delegated management: • For defining new groups of people • For granting entitlements CSG Spring 2004

  7. registers PASE: Reflecting Business Process A sponsor (Source) person who has which is mapped to affiliation which consists of service bundle service which is owned by service provider CSG Spring 2004

  8. University Directory Service (UDS): our Identity Management System CSG Spring 2004

  9. University Directory Service with PASE CSG Spring 2004

  10. The Benefits of PASE: • Flexibility to handle new services and population types without reprogramming or other undo hassle • Logical “single source” AuthZ info repository • Secure, delegated administration • A framework on which to implement policy CSG Spring 2004

  11. The non-technical aspects of PASE • Interests of sponsors and service providers are often not fully aligned • Need for a business process to agree on mappings between affiliations and service bundles • New role for sponsors as a result of their greater control: advocate for populations in negotiations with service providers CSG Spring 2004

  12. PASE Development: An Iterative Approach • First cut: Retirees Fall 2003 • Low risk • minimal disruption • tackle the special populations • Second Cut: Applicants Fall 2004 • Modify interfaces to source systems • Modify interfaces between our Person registry and our affiliation groups management • Still “lightweight” in Tom’s parlance CSG Spring 2004

  13. PASE Development: Yet to do • More work on API’s, e.g.: • Enhance our feeds of PASE info to service providers eg via Shib • Provisioning support • Securely managed discovery API’s • Encorporate service and entitlement info (move to “heavyweight” in Tom’s parlance) • Bring in more affiliations • And get more granular • Generalize HR source interface (with new software) • Alignment with Signet and Grouper for benefits of re-use • The rest CSG Spring 2004

  14. More on PASE http://www.doit.wisc.edu/middleware/pase /index.asp Scott Fullerton fullerton@doit.wisc.edu Bev Freitag bev.freitag@doit.wisc.edu CSG Spring 2004

  15. Questions CSG Spring 2004

  16. Appendix: PASE Terms • Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. • Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. • Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process. CSG Spring 2004

  17. PASE Terms (continued) • Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. • Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data. • Service Provider: The organizational entity responsible for a service. • Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s). CSG Spring 2004

More Related