Upload
ferdinand-hart
View
213
Download
0
Embed Size (px)
Citation preview
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Identity Management
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Authentication(Prove who you are)
• Authentication techniques– Prompt for username / password– Relay network domain credentials– Digital Certificates– Smart Cards
• Username / passwords the most common in our apps right now– Every application stores user information, including passwords– Every application is authenticating users only within the context of a single application– Security Risk:
• Passwords stored in variety of locations• Individual applications may not have the resources to keep up with DOI password policies
• Resolution – Security Token Services (STS)– Centralize user information in STSs
• Only the STS knows the passwords, and/or other user information• DOI security policies are addressed in one place
– STS exchange user credentials for an industry standard digitally signed token• Token is then passed around to apps and services• Applications/Services only have to know how to interpret the token
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Security Token Service• Validate User Credentials
– Domain accounts / Windows NTLM• DOI’s Active Directory • For users on the DOI network
– Usernames / Passwords• ADAM / AD LDS a light weight implementation of Active Directory• For users not on the DOI network
– Other credential types• Digital Certificates• Authenticating partner applications / services running automated
processes
• Transform User Credentials– Make claims about a user– Wrap the claims within a digitally signed SAML Token
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Security Token Process
Account Management Service
Species Service
Web Portal
Security Token Service(Forms-based)
Browser
1. User requests Login
2. Redirect to STS
5. Redirect to Portal
11. Return secure data
7. Send Request with SAML Token10. Provide secure data
4. User requests Login, add role claims
3a. Internal N
etwork… go to Windows-based STS
3c. Non-Internal Network… go to Forms-based STS
3d. For partner STS… redirect to wrap their SAML
token with our SAML token
6. User request secure data
8. Validate SAML Signature
9. Compare “Role Claim” with permissions for secure operation
Security Token Service(Windows-based)
Security Token Service(Partner Organization)
DOI’s ADFS
0. External user m
ay pre-
authenticate at own site
3b. Forward to DOI’s ADFS
• Apps and Services will never see usernames and passwords, just SAML tokens
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Authorization(What are you allowed to do)
• Role based authorization– Users are placed in groups (roles) and permissions are applied to the group– Access to a resource is done by comparing the users role to roles defined for the
resource– Advantages:
• Permission management on small number of groups instead of many users– Limitations:
• Permissions are applied to resources at a very broad level. Granular rules will require more and more groups
• Roles only have meaning within individual applications
• Resource based authorization (Access Control Lists)– Permissions are defined on the resource itself
• Specify what operation / group / user can access a resource– Advantages:
• Authorization rules are up held independent of what service is requesting it– Limitations
• Every resource would have to implement attributes that identify what it is• In the case of system files, often requires some form of impersonation to get through operating
system process rules
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
• Claims based authorization– Claims are properties that describe the capabilities of an entity
• Type – allow services consuming claims to know what the claim is in reference to
• Right –describes the capability the entity has over a resource• Resource - something to which a claim is made over
– Essentially does role based authorization and more• Roles are based on identity. Identity one of many claims that can
be made about a user
– Advantages:• Separates authorization rules from the mechanisms used for
authentication • Authorization policies, based on claims, can be created down to a
very granular level• Very good at controlling access across platforms and applications
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Challenges Solved and Still to Solve• Authentication from multiple sources
– Currently can do multiple types of STS• Transparent logins for domain users• Form based username / passwords against ADAM / AD LDS• Digital Certificates
• Will be developing a flexible and reusable API for authorization– Determine general claim types that are needed across our services– Identify service specific claim types that will be needed– Make it all work for client applications other then web browser
• Excel• Access• Etc.
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Unit
IRMA Infrastructure Services
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Problems to Solve
• Multiple copies of unit, park, etc. databases being used (every app had a different one!)
• Inconsistent park codes and names used
• No common maintenance practices
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Version 1.0.0
• Centralized data source
• Initial IRMA coding standards, service structure
• Very atomic methods (not user-friendly, but they work)
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Example
• Reference Service – Search Page
http://nrinfo.nps.gov
• Pick List = data + web controls:
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Short-term Vision• Full integration with IRMA practices
• Standardized park codes
• More efficient fetch methods
• More sophisticated web controls
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Longer-term Vision
• Customizable web controls
• Accessible service for networks and parks
• Search and report page in NRInfo Portal
• Subunits: – Management districts, ranger districts, etc.
• Maintenance functions
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Taxonomy
IRMA Infrastructure Services
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Problems to be Solved
• Multiple applications need to manage information about taxa
• We need a common currency for discussing taxa
• We would like to use other taxonomic datasets besides ITIS, such as USDA Plants
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Version 1.0
• Four primary parts– Names– Categories– Sources– Classifications
• Searching by Name and by Code• Taxon Profile pages• Integration with Species
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Search by Name
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Search by Code
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Search Results
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Taxon Profile
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Short-term Vision• Include authorities• Integrate USDA Plants list• Downloadable taxonomy lists• Saved searches and layouts• Transform a taxa list using
Crosswalks• Links to external
Classification Sources• More search options
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Long-term Vision
• Adding and editing Taxa • Roll-up to Ranks• Authentication• Change History Management• Commenting• Other types of taxonomies
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Benefits
• One-stop shopping for Taxonomy
• NPS Taxon Code serves as common currency
• New Classification Sources can be loaded, adding new sets of names
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Reference Service Update
Data Manager’s Conference
April, 2009
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Overview
• Problem
• Current Status
• Short-Term Plans
• Long-Term Vision
• Benefits of Service
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
What is the Problem?• Fundamental need to manage citations/metadata
– Documents– Datasets– Photos– Other
• Citations/Metadata in different systems• Hard to associate/group references• Applications do not adequately serve the needs
of the natural resources program
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Reference Service 1.0
• Active, non-sensitive, and non-proprietary citations from NatureBib and Data Store
• Limited subset of the Reference attributes• Basic searching and read-only viewing• No user-name or password required to search• Download attachments• Creating/Editing still done through NatureBib
and Data Store
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Search
• Simple search (search logic behind the scenes)• Must be easy to use
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Search Results
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Detailed View
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Short-Term Plans
• 1.x Iterations– Functionality of NatureBib and DataStore
– Begin to clarify definitions
– Introduce Reference Owner and Unit Steward roles
– Begin Reference Relationships• Split into related references (e.g., book chapter is part of book)• Begin to Combine duplicates• Show related references as one in Portal
– Create Reference from XML record
– Integrate with other services
• 2.0 +– Turn off NatureBib and Data Store
– Begin following Long-Term Road Map for adding functionality
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Long-Term Road Map
• Stakeholder Interviews
• Project Scope
• Version Timeline
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Stakeholder Interviews
• Fall of 2008
• Gather user needs
• 100+ people interviewed
• 25+ meetings
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Road Map - Project Scope
• Out for review - March 2009• Integrates user needs• Proposes long-term functionality• Very general and… dry• Minimize risks
– Get everyone on the same page– Identify logical flaws
• Survey to Get Feedback/Comments
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Survey ResultsChapter Title Average StDev
Reference Collections 1.2 0.5Change History Management 1.2 0.5Notification 1.2 0.5Search/Query References 1.2 0.4Introduction 1.2 0.6
System Level User Groups and Role Management 1.3 0.7Reference-Reference Relationships 1.4 0.7Import/Export References 1.5 1.0Reference-Taxonomy Relationships 1.5 0.7Holdings 1.5 0.9Reference Unit Relationships 1.5 0.8Reference Management 1.6 0.9User Comments and Discussion Threads 1.8 1.3Appendix 1.9 1.2
Accessing the Reference Service via SOAP Messages 2.0 1.1
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Road Map – Version Timeline
• Prioritize functionality in Project Scope
• Can begin once Project Scope is completed
• Very important beyond 2.0
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Further Development and Refinement
• Progressive elaboration
• Regular user feedback
Develop Service Version
Obtain User Feedback
Modify Versions Timeline
Progressive Elaboration of Project Scope
bugs
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Benefits
• Leverages functionality of other services– Taxonomy– Units– Authentication– File
• Can be leveraged by other services– Species– Project– Data Clearinghouses
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
NPSpecies Update
Presented by: Alison Loar
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
New NPSpecies is Useful Because
• Shared infrastructure– Units, Taxonomy, Authentication, etc
• Reusable controls
• New user friendly user interface on the NRInfo Portal
• Ability to access service fetch operations to “build your own”
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Current Status
• NPSpecies 2.0.3 on NRInfo Portal
• Certified Species Lists– For data that have been certified– ability to download lists
• Live Demo…
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Upcoming Release
• NPSpecies 2.1.0 – Released next month– Species lists with more views– Park-Species Profile– Simple stats– List of Units (where one species is found)– Live Demo…
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Roadmap Release PlanShort Term
• NPSpecies 2.2• Integrate NPSpecies with New Match List Application
• NPSpecies 2.3 • Integrate NPSpecies with New Evidence Applications
(Vouchers, Observations, References)
• NPSpecies 3.0• Add/Edit/Delete• Turn off NPSpecies 1.0
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Roadmap Release PlanLong Term
• NPSpecies 3.1 – Ability to have multiple species lists for one
category & one unit in NPSpecies– Tools to Compare and Merge data
• NPSpecies 3.2– QA toolbox with QA Filters– Automated workflow
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
IRMA Summary: What this Means for You
Data Manager’s Conference
April, 2009
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Accessing Information• Web Portal
– Consistent Interface– Brings multiple services together
• SOAP Messages
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
SOAP Messages•Simple Object Access Protocol•Get information without a web interface•Text messages•Industry Standard (e.g., Travelocity)•Supported by other Languages and Applications
•MS Products•Python
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Example SOAP Message
•<CreateReference> • <Title>Birds of ROMO<\Title> <Publisher> NPS<\Publisher>• <DateOfIssue>20080104</DateOfIssue>• <\CreateReference>
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Example Messages•FetchReferenceList•CreateReference•FetchReferenceHolding•DeleteReference
NPS Natural Resource & GIS ProgramsInventory and Monitoring Program
2009 Data Manager’s Meeting
Application to Networks•Custom applications•Integrate multiple services for higher level functionality
•Automatic update of web pages