Privilege Management with Signet:Steps to an Application

Keith Hazelton

University of Wisconsin-Madison

Internet2 MACE

Broomfield, Colorado 1-July-04

2004-07-01 2

UW-Madison ASAP (Access to SystemsAuthorization Process)

• Chose this project because it has manageable scope for discussion purposes

• Use pre-Version 1.0 Signet deliverables from Phases 1-3. See draft Signet Toolkit Roadmap:http://middleware.internet2.edu/signet/docs/

internet2-mace-signet-roadmap-00.html

2004-07-01 3

ASAP (Access to SystemsAuthorization Process) Vision

• The current system for granting access to our enterprise systems (3270 transactions, ISIS, etc) is a laborious paper routing system.

• This system relies on one person (Karen L.) for routing of paper authorization forms to all data custodians and for all data custodians to "sign off" on all requests.

• The ASAP system would replace the paper routing system with a web based workflow engine.

2004-07-01 4

ASAP (Access to SystemsAuthorization Process)

• See the draft Privilege Management Recipe at http://middleware.internet2.edu/signet/

“PM separates the management of privileges from the interpretation or application of them.”

“It does this through a central, shared repository of privilege information where privileges can be managed independent of any specific system or technology that needs it.”

2004-07-01 5

ASAP workflow

Grantor

Custodian

Employee

Biz Func

2004-07-01 6

ASAP workflow

Grantor

Custodian

Employee

Biz Func

2004-07-01 7

ASAP workflow

Grantor

Custodian

Employee

Biz Func

2004-07-01 8

ASAP workflow

Grantor

Custodian

Employee

Biz Func

2004-07-01 9

ASAP workflow

Grantor

Custodian

Employee

Biz Func

2004-07-01 10

ASAP workflow

Grantor

Custodian

Employee

Biz Func

2004-07-01 11

ASAP• A workflow process for granting access to

applications appropriate to an employee’s business functions

• Workflow steps (happy path):– Grantor assigns business function to

employee, but function has entitlements that requires approval by data custodian (a prerequisite)

– Entitlements needed by employee to perform business function are approved by data custodian

– Employee is granted appropriate access in all relevant systems

2004-07-01 12

Business Function

• Per Privilege Management Recipe: – “Somewhere between a job which has many

responsibilities, and a system permission to perform an operation such as updating a table in a database.”

• Example Business Functions in ASAP:– Departmental HR administration

– Course Timetable administration

– Financial Aid administration

2004-07-01 13

Entitlement

• Per Privilege Management Recipe: – “The atomic units of authority control, representing

specific operations...”

• Example Entitlements in ASAP for Departmental HR Administration:– Hiring

– Reclass

– Maintain leave information

2004-07-01 14

Implementing ASAP

• Analysis task one: Define the suite of business functions and their entitlements– Make the implicit explicit: Departmental HR people

do Staff Management. Oh, and Leave and Benefits admin.

– Make the specific more general: Department level and College level HR staff business functions really differ only in scope of authority

– Specify the entitlements needed to perform each business function

– Specify limits and prerequisites on entitlements

2004-07-01 15

Implementing ASAP: A Wrinkle

• Analysis task two: How to handle the two-step process of grant from above and approval by custodian

• One Signet-based approach: grant to custodians all the access entitlements within scope of their area of custodianship

• Now custodians can grant subsets of their privileges to employees

• Employees get all they need from union of privileges from original grantor and custodian

2004-07-01 16

Implementing ASAP

• Development task one: Design and deploy a registry for the organizational hierarchy– For us, this would be based on the widely used

UDDS codes (Unit, Division, Department and SubDepartment)

• Development task two: Deploy Signet and wire it to infrastructure including person and organizational registries

2004-07-01 17

Implementing ASAP with Signet: Bootstrap Phase

• Implementation task one: Business analyst enters defined business functions and assigns initial bootstrap grantor

• Task two: Bootstrap grantor delegates privileges to other grantors including custodians (grant-only flavor when appropriate vs. grant and/or exercise)

2004-07-01 18

Approaching ASAP via Signet

• Design so that grantor uses Signet to grant business functions to employees (but with the prerequisite of custodial approval)

• That would be designed to add items to the Signet assignment document(!) such as “Give Joanne the entitlements she needs to perform the job function of departmental HR administrator in the Molecular Biology Department”

2004-07-01 19

Approaching ASAP via Signet

• The ASAP development team designs a component that regularly scans the Signet assignment document for entitlements that need data custodian approval

• And formats approval requests and puts them in the workflow queue.

• The data custodian grants the needed privileges

• After approval, the prerequisite is updated in Signet (via API!)

2004-07-01 20

Approaching ASAP via Signet

• The employee’s privilege document now shows their new entitlements with prerequisites met

• Through provisioning, these entitlements flow to the applications and systems in question

• The employee has access to all the screens and data views they need

• Karen L. can go back to her fiends in the woodlands

2004-07-01 21

Enhancing ASAP via Signet

• Auto-provisioning of application-level access controls based on privilege document

• Move to an event bus approach to route “privilege management events” to subscribing apps to approach near real time PM

• …

2004-07-01 22

Q & A