Upload
elwin-cannon
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Implementing a Role Management System
Mairéad MartinCarrie Regenstein
Internet2 Fall MeetingSeptember 20, 2005
2
Presentation Overview
• Drivers for role management at UW-Madison
• But what’s it going to take?• The Populations, Affiliations & Service
Entitlements (PASE) project– Architecture & Design– Infrastructure– Functionalities– Governance– Status & next steps
• Relationship to I2 Signet/Grouper
3
Driver #1: Identity Management
• “Cradle to Endowment” - Applicants, parents, students, staff, faculty, alumni, retirees, applicants, donors, visitors, guests, etc.
• Managed case by case in Special Authorization system
4
Driver #2: Access to Services• Need to provide select services to
extended institutional community but:
• “All or nothing” service entitlement based on credentials– Not clear who gets what services– Services with varied risk and load
tolerance
5
Driver #3: Enterprise portal - www.my.wisc.edu
• “One stop shopping” concept - registration, enrollment, earning statements, library services, calendar, email, etc.
• Affiliation and service lifecycle issues
6
Driver #4: Challenge or Opportunity?• Seeking a strategic approach
to an enterprise-wide problem• Organizational, cultural,
technical issues:– Who decides priorities? – Who decides policies?– “Who ya gonna trust?”
7
What’s it going to take?
• New institutional territory• Clarify leadership and
decision-making roles• Strategic rather than “band
aid approach”
8
CIO Office: Challenge & Opportunity #1
• Undergraduate Applicants can access financial aid and admission status in the enterprise portal. They do not get any other services until they enroll and change status to Student.
9
CIO Office: Challenge & Opportunity #2• The Biology 105 affiliation
aggregates all students taking Biology 105 course sections. This affiliation has access to the course management system, portal, calendar and library e-reserves.
10
#3, #4, #5 ……….
• A visiting professor needs access to the network and course management system.
• UW Hospital Employees need access to Parking application.
• UW Connections Students get almost the same services as UW-Madison students.
• …………………….
11
What’s it going to take?
• Define, represent, and manage lifecycle of affiliations
• Support ad-hoc as well as institutional affiliations
• Support delegated administration• Separate AuthN/Z processes• Determine who gets what• Offer services selectively
12
What’s it going to take?
• Engage stakeholders, work collaboratively
• Establish appropriate governance
13
Populations, Affiliations & Service Entitlements (PASE)• Initiated in 2002• Pilot with “Retirees” affiliation in
2003• Phase 1 Implementation: “PA”
(Populations, Affiliations) in 2004/5
• Phase 2 Implementation : “SE” and Interfaces in 2005/06
14
Reflecting the business process
A sponsor(Source)
person
affiliation
service
serviceprovider
who has
registers
which is mapped to
which consists of
which isowned by
service bundle
15
Reflecting the business process: Undergrad Applicants
Office of Admissions
person
AffiliationOf UndergradApplicant
Portal Access
who has
registers
which is mapped to
which consists of
which isowned by
service bundle
Division of Information Technology
16
PASE Infrastructure
• Had to reengineer our University Directory Service (UDS) person registry
17
PIE_Log_History_tbl
POPI_Log_History_tbl
Master_Soar
UDS_Person
Null_FLIP_In
Photo_ID_Eligible
Photo_ID_History
EUC.Customer
Photo IDApplication
Spec AuthApplication
Spec Auth
Spec AuthTransLog
ISIS Tables
sysadmin.u_uds_enrl_trans_log
Ecsoar.Soar_Customers
HR_ApptData
IADS
Mainframe
PID_Log_History
PID_Log
DRV2_Load_Log
IDCRDV2
MAIL7
Master_UWCN(Connections)
A2
Mainframe
IDSPAV2
ISIS
T20
POPI_Log
PIE_Log
KLM
POPI
AA
Address
T16
Phone
Source_Person
sysadmin.u_uds_demo
_trans_log
ISIS_Demo_tbl
A1
Photo_ID_Person
V
Humvee2/DRV2
IA4DRV2 Hum Res ApptData Log
Hum Res DataLog
u_uds_demo_trans_log_hist
_tbl
u_uds_enrl_trans_log_hist
_tbl
T24
DataWarehouse
Ecsoar.Soar_Users
Spec AuthAddr Trans
Log
HR_PersonData
Hum_ResData_His
Hum_ResAppt_Data_
His
C
B1
C
B1
B2
C
Appt Flatfile
Demo Flatfile
I or J
Export_Log
Export_Sync
LDAP
GH
X
T17..19
T02
T03
T04
T05
T06
T07
T08
T10..15
sysadmin.ps_u_isis_addrs@dblnk_to_isis
E
R
R
Key_Change
Student_Roles
HR_Roles
Special_Roles
Campus_ID
Link_Log
Authentication
PVI_UUID
Null_FLIP_Out
U
U
D1
A7 AD1
See LDAPdocument
EXCELSpreadsheet
SeeExtract
documentCampus_ID_Flip_tbl
FLIP SystemY
PY
AB
AC
T26
Q/T27
N
T28/T29
T16
T09
T01
T25
A2
T21
S
DRAWING28/16/2002
Last Saved: 7:21:07 AM
18
UDS v3
• Separated identity and role management functions
• Standardized source feeds• Put affiliation definition back
in source systems• Abstracted business logic
from code
19
Source Systems
ISIS
Students
Instructors
Advisors
Applicants
UDS v3
Source Systems
Union
Parking
Services
Rec Sports
Libraries
UW-MSN University Directory Service v3
20
PASE System
• Oracle tables: PL/SQL functions
• Interfaces– Java for user interfaces– Web services
• Shibboleth
21
PASE Functions
• Create• Delete• Enable • Disable• Assign person to• Add attribute to• Remove attribute
from
Affiliation Service
22
PASE Affiliation & Service Management• Entitlement: Map Services to
Affiliations• Query Functions
– Is Eligible?– Is Member of Affiliation?- List affiliations/services by members
or owners- Get service/affiliation
23
24
Governance
• Requested by campus at PASE campus forum– PASE Policy Group
• Identity Management Leadership Group formed Jan. 2005
• Charged by Provost and CBO• Led by Data Custodians• Focus - IdM, PASE, Access to Data
and Smart Card Initiatives
25
Governance
• IMLG membership:– Registrar (co-chair)– Director of HR (co-chair)– Head of Libraries– Director of Facilities– Chief of UW Police– Director of UW-MSN Union– Head of Continuing Studies– CIO Office/Division of IT
26
Governance Process
• Meets monthly• Charges sub groups with
deliberating on and presenting policies:– PASE Policy Working Group– PASE User Interface WG– PASE New Hires WG– One ID Card WG– Access to UDS Data WG
27
PASE Policies & Processes
• Role of agents: sponsor, service providers, IMLG, administrators
• Institutional vs.. other affiliations and services
• Process for service entitlement negotiation
• Security Framework: – Authorization– Session management, etc.
28
1.Technical
2.Functional
3.Policy
PASE Project Team
PASE UserInterface
4.Governance
PASE Policy
PASE New Hires
Identity Mgmt Leadership Group
As seen by Mairéad
29
1.Governance
2.Policy
3.Functional
PASE Project Team
PASE UserInterface
4.Technical
PASE Policy
Identity Mgmt Leadership Group
As seen by Carrie
PASE New Hires
30
PASE Phase II (2005 - 06)
• System development:– Service and entitlement engine– PASE interfaces: provisioners,
connectors, user interfaces– Infrastructures
• PASE policies and processes• Security framework
31
Relationship to Internet2 Signet/Grouper• PASE predates Signet/Grouper
efforts - not around when we got started in 2002/03
• PASE enterprise-wide system• PASE not a separate registry but
integral to our UDS registry• Looking at Grouper APIs
33
PASE Glossary
• Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role.
• Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource.
• Entitlement: Association of an affiliation with a service.
• Population: Registered persons or persons that can be identified by means of a Publicly Visible Identifier (PVI).
34
PASE Glossary
• Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process.
• Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle.
• Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data.
35
PASE Glossary
• Service Provider: The organizational entity responsible for a service.
• Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).