Upload
hoangphuc
View
215
Download
0
Embed Size (px)
Citation preview
Spring 2012 Internet 2 Members Meeting/ April 23, 2012
Mace PaccmanWorking Group
THOMAS DOPIRAK KEITH HAZELTON CO-CHAIRS
2 – 4/23/12, © 2012 Internet2
MPWG -‐ Shoutout
•
Rob Carter, Emily Eisbruch Chris Hyzer, Steve Olshansky, Chris Phillips, Michael Pelikan, Mark Scheible, Bill Thompson, Heather Flanagan, Jim Leous, Boyd Wilson, Benn Oshrin, Mark Rank , Keith Hazelton , Tom Dopirak
Mace Paccman Working
" Welcome and Paccman’s Place in the Cosmos – Dopirak
" Glossaries and Toothbrushes – Dopirak " Recipe for Access Management – Chris Phillips and
others " Provisioning and OSIDMHE – Carter " Action Items and preview - All
Agenda
3 – © 2012
PACCMAN’S PLACE IN THE COSMOS !
• Mace Paccman is a venue for tackling issues related to providing efficient and effective means for organizations and individuals to control access to computer-based resources. "
5 – 4/23/12, © 2012 Internet2
EVERYONE NEEDS A GLOSSARY – THE SIMPLE ONE
6 – © 2012
Term Definition
Action Describes the access to a resource e.g. "delete","add", "reserve". Often used interchanged with function and verb.
Group A set of subjects
Limit A constraint on a privilege that must be calculated at time of access
Privilege/Permission An expression of access to a resource
Resource A service, datum, or any other object for which access is controlled
Role A set of subjects and the set of privileges they all possess
Subject A person, or a service, acting on behalf of a person, or a set of subjects.
• A Mace Glossary - https://spaces.internet2.edu/display/macepaccman/Another+Glossary+Page"
• A glossary for the recipe - https://spaces.internet2.edu/display/macepaccman/Access+Management+Recipe++V2"
• A very nuanced glossary - https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary"
More Glossaries -- "
THE EVOLUTION OF ACCESS MANAGEMENT
8 – © 2012
Phase Description
None most physical controls If you can authenticate you get everything
Control by contract Same as above with a no abuse policy
Hard coded privilege tables at the resource What most application’s still do
The above + ldap calls for intrinsic attributes Mostly Affiliation but other eduPerson attributes apply
An attribute authority The resource can get any attribute that policy permits
An external yes/no authorization service An external service calculates whether access is permitted
A XACML PERSPECTIVE ON ACCESS MANAGEMENT- the policy access point
9 – © 2012
Terminology Comparable Shbboleth Component
Comparable Grouper Component
Policy Administration Point (PAP) – The location
which administrates the policies
Available on both the IdP and SP configurations in
XML files
The policies can be administered in the Grouper
UI, web service, loader configuration, ect.
A XACML PERSPECTIVE ON ACCESS MANAGEMENT- the policy decision point
10 – © 2012
Terminology Comparable Shibboleth Component
Comparable Grouper Component
Policy Decision Point (PDP) – The location which
evaluates and issues authorization decisions
Shibboleth IdP as the IdP may forward attributes to the
SP which are used in determining access
The Grouper web service can evaluate if someone is a member of a group/role, or
has certain privileges, etc. It can also take into account limits if applicable when
computing the result
AN XACML PERSPECTIVE ON ACCESS MANAGEMENT- the policy enforcement point
11 – © 2012
Terminology Comparable Shbboleth Component
Comparable Grouper Component
Policy Enforcement Points (PEP) – The
location which inercepts the user’s access
request to a resource and enforces the PDP
decision
Shibboleth SP module
You can use the Shibboleth SP module, or code in your application could make an LDAP call, or a web
service call to Grouper to check privileges (the GrouperClient- could
help via Java or command line)
A XACML PERSPECTIVE ON ACCESS MANAGEMENT – the policy information point
12 – © 2012
Terminology Comparable Shbboleth
Component
Comparable Grouper Component
Policy Information Points (PIP) – The
location which providers information the PDP
LDAP directory or SQL database connected to
the IdP
Grouper can pull data from external SQL database or LDAP
data sources via the Grouper loader and act a PIP for its clients via the Grouper web
service or through a provisioning method.
• Assess!– Create an inventory"
• scope of access, span of control, magnitude"• Recognize & Generalize!
– Classify by known types or bespoke effort"• Craft the Vision!
– ‘now’ vs ‘ what it should or could be’"• Opportunity to write the self-fulfilling prophecy"• Have both short and long term goals"• Demonstrate value at each step better than ‘big bang’"
– Baseline for vision & values"• How else will people know the context?"• How else to know if you are in alignment?"
14 – © 2012
The Recipe for the Recipe
• Staples of Access Control (AC)"– Group Based (GBAC)"– Role Based (RBAC)"– Entitlement based (EBAC)"– Attribute Based (ABAC*)"
• Good to have, not always easy to get"– Naming conventions"– Governance & accountability"– Key processes identified & defined""* XACML refers to itself as ABAC at times"
Available Ingredients
15 – © 2012
Institution X has a central IT department with a manager and sys admins of which some have root. "
Illustrative Use Case: GBAC or [G^R^E]BAC?
16 – © 2012
Approach Implementa/on Benefits Drawbacks
GBAC • 2 groups: • Dept-‐IT, • hasRoot
• Set members as needed
• Out of the box • ExisPng (group) tools • Downstream systems could digest easier
• No relaPonships can be inferred • Scaling challenge groups map 1:1 to permissions • Diverges from org structure to mish mash. • Not intuiPve to decode meaning of groups
[G^R^E]BAC • 1 group ‘Dept-‐IT’ • 1 role ‘sysadmin’ • 1 enPtlement ‘hasRoot’ • Role has set of enPtlements w/ ‘hasRoot’
• Discrete separaPon of org membership, role and job funcPon • ParPPons span of control decisions to that which is relevant • Minimal elements • Role acts as container for enPtlement • EnPtlements can stand alone • EnPtlements can be subscoped
• Not all systems have visibility to all elements • AdministraPon of environment (what should be a group? What should be an enPtlement?) is challenging • Privacy
Technique Strengths Weakness Opportunity Threats
Group
• Ubiquitous • One size does not fit all
• Prevalence of ExisPng tools: Grouper, AD naPve admin
• Privacy, hard to lock endpoints from edibng.
Role
• Good Aggregator of enPtlements
• Not as ubiquitous as groups therefore less UI & tools
• Common vocabulary available • Ability to aggregate enPtlements
• Hard to maintain unless dynamically calculated on the fly
En/tlement • Very Fine Grained, Ability to subscope
• InformaPon leakage in single form
• Large, can go down to as fine as one needs (e.g. see field X)
• Delegated admin will be desirable but hard to come by
ACribute
• All about exisPng data • Fed’n Friendly
• One full schema does not existParity & semanPc accuracy: apps and fed2fed
• Powerful when using XACML and agributes as input.
• Agribute by agribute authenPcity & trust by whom & for whom needs work
20 – © 2012
SWOT on *BAC
21 – © 2012
Recipe Take Aways
• It’s about techniques and inputs!– Outcome of recipe will be what you can digest and support"– Common techniques provide a yardstick of what are common themes"
• Expect a blend of approaches"– (ie, it’s not all group privilage & access mgt)"
• Tailor the SWOT to your situation!– change based on your perspective, abilities, and portfolio of apps"
"
It’s about how to choose not what to choose!
• Tell us what you think…no really!"
• Questions we have:"– Use cases are still valuable to collect, let us
know yours & if you feel you have solved a problem, we want to hear about it."
– Should paccman converge into OS4HEIDM-provisioning?"
23 – © 2012
Next Steps
24 – © 2012
See http://
middleware.internet2.e
du/paccman/
for details
WORKING GROUP CALLS
Working Group Calls are Alternate Thursdays 1PM Eastern
Subscribe to the mailing-list to get Agendas and Call-in information
April 22, 2012 Mace Paccman Working Group
Thank you!
For more information,
please visit
http://middleware.internet2.edu/paccman/
EVERYONE NEEDS A GLOSSARY – THE MAC ONE
27 – © 2012
Term
Assertion Inheritance
Attribute InterFederation
Authority Level of Assurance
Privilege/Permission Provisioning
Consent Privilege-Set
Delegation
Deprovisioning