Implementing a Role Management System

Mairéad MartinCarrie Regenstein

Internet2 Fall MeetingSeptember 20, 2005

2

Presentation Overview

• Drivers for role management at UW-Madison

• But what’s it going to take?• The Populations, Affiliations & Service

Entitlements (PASE) project– Architecture & Design– Infrastructure– Functionalities– Governance– Status & next steps

• Relationship to I2 Signet/Grouper

3

Driver #1: Identity Management

• “Cradle to Endowment” - Applicants, parents, students, staff, faculty, alumni, retirees, applicants, donors, visitors, guests, etc.

• Managed case by case in Special Authorization system

4

Driver #2: Access to Services• Need to provide select services to

extended institutional community but:

• “All or nothing” service entitlement based on credentials– Not clear who gets what services– Services with varied risk and load

tolerance

5

Driver #3: Enterprise portal - www.my.wisc.edu

• “One stop shopping” concept - registration, enrollment, earning statements, library services, calendar, email, etc.

• Affiliation and service lifecycle issues

6

Driver #4: Challenge or Opportunity?• Seeking a strategic approach

to an enterprise-wide problem• Organizational, cultural,

technical issues:– Who decides priorities? – Who decides policies?– “Who ya gonna trust?”

7

What’s it going to take?

• New institutional territory• Clarify leadership and

decision-making roles• Strategic rather than “band

aid approach”

8

CIO Office: Challenge & Opportunity #1

• Undergraduate Applicants can access financial aid and admission status in the enterprise portal. They do not get any other services until they enroll and change status to Student.

9

CIO Office: Challenge & Opportunity #2• The Biology 105 affiliation

aggregates all students taking Biology 105 course sections. This affiliation has access to the course management system, portal, calendar and library e-reserves.

10

#3, #4, #5 ……….

• A visiting professor needs access to the network and course management system.

• UW Hospital Employees need access to Parking application.

• UW Connections Students get almost the same services as UW-Madison students.

• …………………….

11

What’s it going to take?

• Define, represent, and manage lifecycle of affiliations

• Support ad-hoc as well as institutional affiliations

• Support delegated administration• Separate AuthN/Z processes• Determine who gets what• Offer services selectively

12

What’s it going to take?

• Engage stakeholders, work collaboratively

• Establish appropriate governance

13

Populations, Affiliations & Service Entitlements (PASE)• Initiated in 2002• Pilot with “Retirees” affiliation in

2003• Phase 1 Implementation: “PA”

(Populations, Affiliations) in 2004/5

• Phase 2 Implementation : “SE” and Interfaces in 2005/06

14

Reflecting the business process

A sponsor(Source)

person

affiliation

service

serviceprovider

who has

registers

which is mapped to

which consists of

which isowned by

service bundle

15

Reflecting the business process: Undergrad Applicants

Office of Admissions

person

AffiliationOf UndergradApplicant

Portal Access

who has

registers

which is mapped to

which consists of

which isowned by

service bundle

Division of Information Technology

16

PASE Infrastructure

• Had to reengineer our University Directory Service (UDS) person registry

17

PIE_Log_History_tbl

POPI_Log_History_tbl

Master_Soar

UDS_Person

Null_FLIP_In

Photo_ID_Eligible

Photo_ID_History

EUC.Customer

Photo IDApplication

Spec AuthApplication

Spec Auth

Spec AuthTransLog

ISIS Tables

sysadmin.u_uds_enrl_trans_log

Ecsoar.Soar_Customers

HR_ApptData

IADS

Mainframe

PID_Log_History

PID_Log

DRV2_Load_Log

IDCRDV2

MAIL7

Master_UWCN(Connections)

A2

Mainframe

IDSPAV2

ISIS

T20

POPI_Log

PIE_Log

KLM

POPI

AA

Email

Address

T16

Phone

Source_Person

sysadmin.u_uds_demo

_trans_log

ISIS_Demo_tbl

A1

Photo_ID_Person

V

Humvee2/DRV2

IA4DRV2 Hum Res ApptData Log

Hum Res DataLog

u_uds_demo_trans_log_hist

_tbl

u_uds_enrl_trans_log_hist

_tbl

T24

DataWarehouse

Ecsoar.Soar_Users

Spec AuthAddr Trans

Log

HR_PersonData

Hum_ResData_His

Hum_ResAppt_Data_

His

C

B1

C

B1

B2

C

Appt Flatfile

Demo Flatfile

I or J

Export_Log

Export_Sync

LDAP

GH

X

T17..19

T02

T03

T04

T05

T06

T07

T08

T10..15

sysadmin.ps_u_isis_addrs@dblnk_to_isis

E

R

R

Key_Change

Student_Roles

HR_Roles

Special_Roles

Campus_ID

Link_Log

Authentication

PVI_UUID

Null_FLIP_Out

U

U

D1

A7 AD1

See LDAPdocument

EXCELSpreadsheet

SeeExtract

documentCampus_ID_Flip_tbl

FLIP SystemY

PY

AB

AC

T26

Q/T27

N

T28/T29

T16

T09

T01

T25

A2

T21

S

DRAWING28/16/2002

Last Saved: 7:21:07 AM

18

UDS v3

• Separated identity and role management functions

• Standardized source feeds• Put affiliation definition back

in source systems• Abstracted business logic

from code

19

Source Systems

ISIS

Students

Instructors

Advisors

Applicants

UDS v3

Source Systems

Union

Parking

Services

Rec Sports

Libraries

UW-MSN University Directory Service v3

20

PASE System

• Oracle tables: PL/SQL functions

• Interfaces– Java for user interfaces– Web services

• Shibboleth

21

PASE Functions

• Create• Delete• Enable • Disable• Assign person to• Add attribute to• Remove attribute

from

Affiliation Service

22

PASE Affiliation & Service Management• Entitlement: Map Services to

Affiliations• Query Functions

– Is Eligible?– Is Member of Affiliation?- List affiliations/services by members

or owners- Get service/affiliation

23

24

Governance

• Requested by campus at PASE campus forum– PASE Policy Group

• Identity Management Leadership Group formed Jan. 2005

• Charged by Provost and CBO• Led by Data Custodians• Focus - IdM, PASE, Access to Data

and Smart Card Initiatives

25

Governance

• IMLG membership:– Registrar (co-chair)– Director of HR (co-chair)– Head of Libraries– Director of Facilities– Chief of UW Police– Director of UW-MSN Union– Head of Continuing Studies– CIO Office/Division of IT

26

Governance Process

• Meets monthly• Charges sub groups with

deliberating on and presenting policies:– PASE Policy Working Group– PASE User Interface WG– PASE New Hires WG– One ID Card WG– Access to UDS Data WG

27

PASE Policies & Processes

• Role of agents: sponsor, service providers, IMLG, administrators

• Institutional vs.. other affiliations and services

• Process for service entitlement negotiation

• Security Framework: – Authorization– Session management, etc.

28

1.Technical

2.Functional

3.Policy

PASE Project Team

PASE UserInterface

4.Governance

PASE Policy

PASE New Hires

Identity Mgmt Leadership Group

As seen by Mairéad

29

1.Governance

2.Policy

3.Functional

PASE Project Team

PASE UserInterface

4.Technical

PASE Policy

Identity Mgmt Leadership Group

As seen by Carrie

PASE New Hires

30

PASE Phase II (2005 - 06)

• System development:– Service and entitlement engine– PASE interfaces: provisioners,

connectors, user interfaces– Infrastructures

• PASE policies and processes• Security framework

31

Relationship to Internet2 Signet/Grouper• PASE predates Signet/Grouper

efforts - not around when we got started in 2002/03

• PASE enterprise-wide system• PASE not a separate registry but

integral to our UDS registry• Looking at Grouper APIs

32

Contact Info

• Mairéad Martinmmartin5@wisc.edu

• Carrie Regensteincarrie@doit.wisc.educarrie1@cmu.edu

33

PASE Glossary

• Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role.

• Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource.

• Entitlement: Association of an affiliation with a service.

• Population: Registered persons or persons that can be identified by means of a Publicly Visible Identifier (PVI).

34

PASE Glossary

• Service: One or more activities represented in business terms. A service can either be totally automated (e.g., the mail system) or partially so (e.g., Rec Sports). Services of interest to this project are protected by an authorization process.

• Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle.

• Service Entitlement: The specific, more granular, actions within a service, e.g., Update student data.

35

PASE Glossary

• Service Provider: The organizational entity responsible for a service.

• Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s).