nmiedit Privilege Management the Big Picture 2004 Advanced
nmi-edit Privilege Management: the Big Picture 2004 Advanced CAMP Authority Architectures Workshop Boulder, June 30, 2004 Lynn Mc. Rae Stanford University lmcrae@stanford. edu Copyright Lynn Mc. Rae, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 9/3/2021 1
The Path to Privilege Management Local accounts, individuals mapped to permissions list n Local accounts mapped to local groups mapped to permissions list n Integration with external information -affiliations, status, etc. n Integration with institutional group/roles n Centralized privilege management n 9/3/2021 2
PM -- Local accounts n n Individuals mapped to permissions list No policy control and tracking Historically weak life-cycle controls Does not support cross-system privileges 9/3/2021 3
PM - Local accounts & groups n n Local privileges grouped for categories of access If done well can reflect roles or policy But interpretation of policy across many systems Still not cross-system 9/3/2021 4
PM - External data n n Opportunity to automate lifecycle “User” is for session/preferences, not control A start at roles-based authorization Rules for mapping relationships to permissions still implemented across systems 9/3/2021 5
PM -- Institutional groups & roles n n Mapping people to groups is implemented once Consistency from common group definitions Improved roles-based authorization Applications still have local mapping to privileges 9/3/2021 6
PM - Central Management n n n Single implementation mapping person to privileges, or person to group to privileges Independent from specific systems & technologies Allows privileges to be shared across systems 9/3/2021 7
Role- vs Privilege-based Auth. Z n n Both approaches are viable, complementary Roles (cf. edu. Person. Is. Member. Of) n Inter-realm, specific privileges vary in different contexts e. g. Instructor can submit grades at one site, readonly at another n Eligibilility (can have) instead of authorization (can do) e. g. Faculty/Staff /Students get free email from specific provider n Privileges (cf. edu. Person. Entitlement) n Permissions should be the same across service providers n Service providers do not need to know rules or reason behind authorization e. g. Building access regardless of why -- has office in building, taking class in building, authorized by building manager 9/3/2021 8
Central Privilege Management n n n A system independent source for defining and administering privilege data Central repository simplifies policy management and tracking Consistent application of rules across systems Levels of institutional commitment NOT an authorization service… n n n A source of data for an authorization service Integrates with local system security Integrates with authorization mechanisms 9/3/2021 9
What is Signet? n A Privilege Management System & toolkit n n n Software to define an organization’s privileges Software to manage privilege information A web user interface for distributed assigning and viewing privilege information Components/APIs for integrating with other systems NSF funded Internet 2 /MACE project Part of Auth. Z core middleware initiative 9/3/2021 10
Demo - Stanford Authority Manager home page 9/3/2021 11
Demo - Stanford Authority Manager home page 9/3/2021 12
Demo - Stanford Authority Manager - User view 9/3/2021 13
Demo - Stanford Authority Manager - Granting 9/3/2021 14
Demo - Stanford Authority Manager - Granting 9/3/2021 15
Demo - Stanford Authority Manager - Granting 9/3/2021 16
Demo - Stanford Authority Manager -Granting 9/3/2021 17
Demo - Stanford Authority Manager - Granting 9/3/2021 18
Demo - Stanford Authority Manager - Granting 9/3/2021 19
Demo - Stanford Authority Manager - Granting 9/3/2021 20
Demo - Stanford Authority Manager - User view 9/3/2021 21
Privileges building blocks 9/3/2021 22
Privileges building blocks n Business view n Subsystems n System view n Entitlements n Categories n Functions n Shared Scope, Limits n Pre-requisites, Conditions n 9/3/2021 23
Subsystems n n Highest unit of organization, defines domains of ownership and responsibility One built-in subsystem to manage other authority subsystems Reflect real world organizational boundaries and areas of responsibility Can be large or small 9/3/2021 24
Categories Group privileges into topics within a subsystem n Organize data logically for UI and reports n Some control features, e. g. , choose one vs choose many n 9/3/2021 25
Function/Tasks/Entitlements 9/3/2021 financial_SQLGL: Delphi. Ent_EN_GL_Inquiry 26
Scope n n 9/3/2021 Places privileges in a hierarchical context Distributed delegation via a chain of authority “you can only give what you have” Independent of personnel hierarchy 27
Limits n n One or more qualifiers for a privilege Choice types: n n n Numeric, ranges Single/multiple choice User input values, edited against domain of values Scoped limits -- things “owned” by items in a hierarchy Knows “less” or “fewer” for delegation 9/3/2021 28
Entitlement integration 9/3/2021 29
Assignment features n Prerequisites (auto-activation) n Conditions (auto-revocation) n Having vs delegating authority 9/3/2021 30
Assignment features n Assigning privileges to groups Groups may represent roles n But Role management per se is a future concern n n XML output Union of privileges, plus n Privileges that you have as an individual n Privileges you have via proxy n Privileges via group membership n 9/3/2021 31
Other features n Designated drivers Authority granting proxy n Acting proxy n Notification n Audit history n 9/3/2021 32
Assignment example By authority of the Dean grantor as soon as you are principal investigator role (group) and have completed training prerequisite you can approve purchases function in the School of Medicine scope for your research project up to $100, 000 limits until January 1, 2006 condition 9/3/2021 33
For more information… The project web site: http: //middleware. internet 2. edu/signet/ n Email list: signet@internet 2. edu n n Magic elves drawing from http: //intranet. hackneylea. org. uk/highwire/srb intranet/fairy tales/fairytales menu. html 9/3/2021 34
- Slides: 34