Скачать презентацию Authorization Just when you thought middleware was no Скачать презентацию Authorization Just when you thought middleware was no

2c71a3709124c9d5115bd89c6e71496a.ppt

  • Количество слайдов: 24

Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet 2 Middleware Architecture Comm. for Education (MACE) Internet 2 Fall Member Meeting, Indianapolis, Law, Cornell 2003 15 -Oct-0310 -July-02, Computer Policy and Oct. 15, University

Authorization related services: A broad vision and selected details • UW-Madison as a concrete Authorization related services: A broad vision and selected details • UW-Madison as a concrete reference point for thinking Authorization thoughts 15 -Oct-03 1

Core middleware services suite 15 -Oct-03 2 Core middleware services suite 15 -Oct-03 2

Core middleware services suite Identity Mgmt Services 15 -Oct-03 3 Core middleware services suite Identity Mgmt Services 15 -Oct-03 3

Core Middleware Services: Directory / Identity Mgmt. Source system a Source system b Source Core Middleware Services: Directory / Identity Mgmt. Source system a Source system b Source system c Auth. Z Info Mgmt. : Internet 2 Grouper, Stanford Authority (Priv. Groups), UW-Msn PASE 15 -Oct-03 4

Core middleware services suite Security Services Auth. N / Auth. Z… Identity Mgmt Services Core middleware services suite Security Services Auth. N / Auth. Z… Identity Mgmt Services 15 -Oct-03 5

Core Middleware Services: Authentication, Authorization, … Auth. Z Info Access: Shibboleth (intra and inter-inst. Core Middleware Services: Authentication, Authorization, … Auth. Z Info Access: Shibboleth (intra and inter-inst. ) Auth. N: LDAP bind; PKI 15 -Oct-03 6

PASE: A system for managing authorization information A secure, delegated service to maintain and PASE: A system for managing authorization information A secure, delegated service to maintain and provide information about: Populations of interest to the university Affiliations (or roles) that a person has Services that members of a role get (i. e. what they are entitled to do) 15 -Oct-03 7

PASE and authorization • Typically, authorization decisions indicates whether a person or other principal PASE and authorization • Typically, authorization decisions indicates whether a person or other principal is permitted to access a requested resource or invoke a requested service • PASE is an authorization information management tool; it helps us manage key information needed for authorization processes • PASE is the companion to our Identity Management System -- The University Directory Service (UDS) 15 -Oct-03 8

Current Limitations: • Handling all populations • Having clearly defined affiliation information • Applying Current Limitations: • Handling all populations • Having clearly defined affiliation information • Applying and documenting rules about who gets what • Getting timely information with which to make access control decisions • Handling special populations 15 -Oct-03 9

Current limitations: handling special populations • No system support for defining new types of Current limitations: handling special populations • No system support for defining new types of affiliations • Binary entitlement: Either a person gets all services or gets none • No d elegated management: • For defining new groups of people • For granting group members access to services • Result: Difficult to add new groups 15 -Oct-03 10

What is needed: An authorization information system with: • Flexibility to handle new services What is needed: An authorization information system with: • Flexibility to handle new services and population types without reprogramminng or other undo hassle • Logical “single source” Auth. Z info repository • Secure, delegated administration • A framework on which to implement policy 15 -Oct-03 11

PASE relates the correct entities for greater flexibility and scalability A sponsor (Source) registers PASE relates the correct entities for greater flexibility and scalability A sponsor (Source) registers person who has affiliation which is mapped to which consists of service which is owned by service provider 15 -Oct-03 12

PASE, peer institutions and NMI/Internet 2 • Draws from pioneer efforts • Stanford’s Authority PASE, peer institutions and NMI/Internet 2 • Draws from pioneer efforts • Stanford’s Authority system • MIT’s Roles DB • Internet 2 Grouper WG • On the cutting edge • Similar efforts at some institutions • We are one of the {b}leaders 15 -Oct-03 13

The non-technical aspects of PASE • Interests of sponsors and service providers are often The non-technical aspects of PASE • Interests of sponsors and service providers are often not fully aligned • Need for a business process to agree on mappings between affiliations and service bundles • New role for sponsors as a result of their greater control: advocate for populations in negotiations with service providers 15 -Oct-03 14

PASE Development: An Iterative Approach • We intend to deliver PASE services in several PASE Development: An Iterative Approach • We intend to deliver PASE services in several phases. • First cut: A Pilot • To create the underlying structure end-to-end • To provide many of the functions for managing entities and their relationships • To manage risks (e. g. , service disruption) • To assess design choices and make adjustments with minimum impact 15 -Oct-03 15

PASE Pilot – Spec Auth Retirees • Sponsor: Office of Human Resources • Person PASE Pilot – Spec Auth Retirees • Sponsor: Office of Human Resources • Person (Population): Retiree bio/demo data • Affiliation: Retirees • Affiliation Types: UW-Madison, UW Extension, UW System Administration and UW Colleges • Service Bundle: “Bucky Bundle” • Services: UW Madison Libraries, My UW Madison Portal, UW Madison Photo Identification, UW Madison Recreational Sports, etc. • Service Provider: Service Representatives 15 -Oct-03 16

PASE Pilot - Out of Pilot Scope • General access to information, both to PASE Pilot - Out of Pilot Scope • General access to information, both to maintain the data and use the data for authorization decisions • Negotiation between Sponsors and Service Providers • Batch inputs 15 -Oct-03 17

What’s Next? • Report the results of the pilot • Capture current services’ authorization What’s Next? • Report the results of the pilot • Capture current services’ authorization rules • Define roles and responsibilities of the various players • Refine the links to UDS • Develop interfaces to service providers 15 -Oct-03 18

More on PASE http: //www. doit. wisc. edu/middleware/pase /index. asp • Scott Fullerton fullerton@doit. More on PASE http: //www. doit. wisc. edu/middleware/pase /index. asp • Scott Fullerton [email protected] wisc. edu 15 -Oct-03 19

What’s off this frame? Target-side: Evaluating auth. Z info and policies Security Services Auth. What’s off this frame? Target-side: Evaluating auth. Z info and policies Security Services Auth. N / Auth. Z… Identity Mgmt Services 15 -Oct-03 20

What’s off this frame? Target-side: processing auth. Z info and policies • 15 -Oct-03 What’s off this frame? Target-side: processing auth. Z info and policies • 15 -Oct-03 21

Appendix: PASE Terms • Affiliation: A person’s relationship to the institution. A person can Appendix: PASE Terms • Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. • Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. • Service: One or more activities represented in business terms. A service can either be totally automated (e. g. , the mail system) or partially so (e. g. , Rec Sports). Services of interest to this project are protected by an authorization process. 15 -Oct-03 22

PASE Terms (continued) • Service Bundle: A set of one or more services. An PASE Terms (continued) • Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. • Service Entitlement: The specific, more granular, actions within a service, e. g. , Update student data. • Service Provider: The organizational entity responsible for a service. • Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s). 15 -Oct-03 23