Roles Enterprise Authorizations MIT This entire presentation can
- Slides: 18
Roles Enterprise Authorizations @ MIT This entire presentation can be found here: https: //wikis. mit. edu/confluence/display/IAM/Roles (Enterprise Authorization) Rob Campanella Identity & Access Management MIT | IS&T | Systems Optimization & Integration Solutions W 92 -154 | 617 -324 -8143 | rcampane@mit. edu
Session Objectives o What is an authorization? o Enterprise Authorization o o What is it? o Why should I use it? o How do I use it? Q&A 2
What is an authorization? o o 3 parts n Who (person) n What (function) n Where (qualifier) can be NULL Examples n Tom Brady is quarterback for the New England Patriots n Rob Campanella can spend on profit center PC 242800 n Rob Campanella is Roles Administrator 3
Person (The who) o Now o o Kerberos Principal Future possibilities o Touchstone Collaboration Account o Moira Group 4
Function (The what) o Usually a task, but could also describe position/responsibility o Defined in understandable business terms o Grouped into ‘categories’ o Paired with a specific qualifier type o Marty Walsh is Mayor of Boston (City qualifier type works) o Marty Walsh is Mayor of Massachusetts (State qualifier type does not work) 5
Function cont. – Inheritance Can edit HR data Eddie Can view HR data Jeff • Jeff can view HR data for Biology • Eddie can edit HR data for Biology • Eddie can view HR data for Biology 6
Qualifier (The where) o Defines scope o Hierarchy based o (or NULL) 7
Qualifier cont. – Inheritance Auth here means entire School of Science (Biology & Chemistry in this example) Auth here means only Biology ALL Departments School of Science School of Engineering Chemistry Mechanical Engineering 8
Additional authorization rules/fields o No negative authorizations o Effective & expiration dates o Can do vs Can grant 9
Life without Enterprise Authorization o o o User enters auths into multiple systems Each system may have different interface Must understand inner workings of each system to create appropriate auths Conflicts can be created Same business auth may need to be entered in multiple systems No complete picture of user’s authorizations System #1 System #2 System #3 System #4 System #N 10
Life with Enterprise Authorization o o o Single interface for entering all auths Only need to understand the business need, not the underlying system Same auth can span multiple systems Conflicts prevented Can see complete picture of a user System #1 System #2 ROLES System #3 System #4 System #N 11
Enterprise Authorization @ MIT = ROLES (rolesapp. mit. edu) o Centrally Managed n o Distributed entry/maintenance n n o o o Authorization System of Record Access should be granted by those closest to the resource Primary Authorizers Conflict/SOD Identification/Prevention Implied (rule based) authorizations Audit trail Reporting API 12
API Example (Currently SOAP) Can RCAMPANE view HR data for BIOLOGY? System #1 YES ROLES Can RCAMPANE view HR data for CHEMISTRY? NO 13
WSDLs o Dev: https: //ws-dev. mit. edu/rolesws o Test: https: //ws-test. mit. edu/rolesws o Prod: https: //rolesws. mit. edu/rolesws Method: Is. User. Authorized. Ext 14
SOAP Request <soapenv: Envelope xmlns: soapenv="http: //schemas. xmlsoap. org/soap/envelope/" xmlns: urn="urn: roles. Service"> <soapenv: Header/> <soapenv: Body> <urn: is. User. Authorized. Ext> <urn: User. Name>RCAMPANE</urn: User. Name> <urn: function_category>UADM</urn: function_category> <urn: function_name>UA_DECISION_RPT</urn: function_name> <urn: qualifier_code>NULL</urn: qualifier_code> <urn: proxy. User. Name>DECI$ION</urn: proxy. User. Name> <urn: real. Or. Implied>B</urn: real. Or. Implied> </urn: is. User. Authorized. Ext> </soapenv: Body> </soapenv: Envelope> 15
SOAP Response <soapenv: Envelope xmlns: soapenv="http: //schemas. xmlsoap. org/soap/envelope/" xmlns: xsd="http: //www. w 3. org/2001/XMLSchema" xmlns: xsi="http: //www. w 3. org/2001/XMLSchemainstance"> <soapenv: Body> <is. User. Authorized. Ext. Response xmlns="urn: roles. Service"> <is. User. Authorized. Ext. Return>false</is. User. Authorized. Ext. Return> </is. User. Authorized. Ext. Response> </soapenv: Body> </soapenv: Envelope> 16
Steps required to call Roles SOAP API o o Request an app certhttps: //wikis. mit. edu/confluence/display/devt ools/Home Create “server” user in Roles Associate app cert w/ server user in allowed. Locations. properties file on Roles web server Grant appropriate auths to server user 17
Q&A o Questions now? o Questions later? n o roles@mit. edu Project later? n Involve us as early as possible 18
- Putting the enterprise into the enterprise system
- Putting the enterprise into the enterprise system
- Enterprise architecture presentation
- My work attitude at work immersion
- Sally wants to select an entire paragraph
- Unit 11 radicals homework 5 dividing radicals day 1
- Mixed radical to entire radical
- What is a entire radical
- Footed ware glass
- It provides structural support for the entire body
- Representative sample example
- Fitness is the ability to
- Crossline
- Foot protection examples
- Loss of defence
- The body tube
- Entire computer
- Entire computer
- Occurs when an entire species ceases to exist