Implementing a Role Management System Mairéad Martin Carrie

Implementing a Role Management System Mairéad Martin Carrie Regenstein Internet 2 Fall Meeting September 20, 2005

Presentation Overview • Drivers for role management at UWMadison • But what’s it going to take? • The Populations, Affiliations & Service Entitlements (PASE) project – Architecture & Design – Infrastructure – Functionalities – Governance – Status & next steps • Relationship to I 2 Signet/Grouper 2

Driver #1: Identity Management • “Cradle to Endowment” Applicants, parents, students, staff, faculty, alumni, retirees, applicants, donors, visitors, guests, etc. • Managed case by case in Special Authorization system 3

Driver #2: Access to Services • Need to provide select services to extended institutional community but: • “All or nothing” service entitlement based on credentials – Not clear who gets what services – Services with varied risk and load tolerance 4

Driver #3: Enterprise portal - www. my. wisc. edu • “One stop shopping” concept registration, enrollment, earning statements, library services, calendar, email, etc. • Affiliation and service lifecycle issues 5

Driver #4: Challenge or Opportunity? • Seeking a strategic approach to an enterprise-wide problem • Organizational, cultural, technical issues: – Who decides priorities? – Who decides policies? – “Who ya gonna trust? ” 6

What’s it going to take? • New institutional territory • Clarify leadership and decision -making roles • Strategic rather than “band aid approach” 7

CIO Office: Challenge & Opportunity #1 • Undergraduate Applicants can access financial aid and admission status in the enterprise portal. They do not get any other services until they enroll and change status to Student. 8

CIO Office: Challenge & Opportunity #2 • The Biology 105 affiliation aggregates all students taking Biology 105 course sections. This affiliation has access to the course management system, portal, calendar and library e-reserves. 9

#3, #4, #5 ………. • A visiting professor needs access to the network and course management system. • UW Hospital Employees need access to Parking application. • UW Connections Students get almost the same services as UWMadison students. • …………. 10

What’s it going to take? • Define, represent, and manage lifecycle of affiliations • Support ad-hoc as well as institutional affiliations • Support delegated administration • Separate Auth. N/Z processes • Determine who gets what • Offer services selectively 11

What’s it going to take? • Engage stakeholders, work collaboratively • Establish appropriate governance 12

Populations, Affiliations & Service Entitlements (PASE) • Initiated in 2002 • Pilot with “Retirees” affiliation in 2003 • Phase 1 Implementation: “PA” (Populations, Affiliations) in 2004/5 • Phase 2 Implementation : “SE” and Interfaces in 2005/06 13

Reflecting the business process A sponsor (Source) registers person who has affiliation which is mapped to which consists of service bundle service which is owned by service provider 14

Reflecting the business process: Undergrad Applicants Office of Admissions registers person who has which is mapped to which consists of Affiliation Of Undergrad Applicant service bundle Portal Access which is owned by Division of Information Technology 15

PASE Infrastructure • Had to reengineer our University Directory Service (UDS) person registry 16

17

UDS v 3 • Separated identity and role management functions • Standardized source feeds • Put affiliation definition back in source systems • Abstracted business logic from code 18

UW-MSN University Directory Service v 3 ISIS UDS v 3 Rec Sports Students Instructors Union Advisors Applicants Source Libraries Systems Parking Source Systems Services 19

PASE System • Oracle tables: PL/SQL functions • Interfaces – Java for user interfaces – Web services • Shibboleth 20

PASE Functions • • Create Delete Enable Disable Assign person to Add attribute to Remove attribute from Ø Affiliation Ø Service 21

PASE Affiliation & Service Management • Entitlement: Map Services to Affiliations • Query Functions – Is Eligible? – Is Member of Affiliation? - List affiliations/services by members or owners - Get service/affiliation 22

23

Governance • Requested by campus at PASE campus forum – PASE Policy Group • Identity Management Leadership Group formed Jan. 2005 • Charged by Provost and CBO • Led by Data Custodians • Focus - Id. M, PASE, Access to Data and Smart Card Initiatives 24

Governance • IMLG membership: – Registrar (co-chair) – Director of HR (co-chair) – Head of Libraries – Director of Facilities – Chief of UW Police – Director of UW-MSN Union – Head of Continuing Studies – CIO Office/Division of IT 25

Governance Process • Meets monthly • Charges sub groups with deliberating on and presenting policies: – PASE Policy Working Group – PASE User Interface WG – PASE New Hires WG – One ID Card WG – Access to UDS Data WG 26

PASE Policies & Processes • Role of agents: sponsor, service providers, IMLG, administrators • Institutional vs. . other affiliations and services • Process for service entitlement negotiation • Security Framework: – Authorization – Session management, etc. 27

As seen by Mairéad 1. Technical PASE Project Team 2. Functional PASE User Interface 3. Policy PASE Policy 4. Governance PASE New Hires Identity Mgmt Leadership Group 28

As seen by Carrie 1. Governance 2. Policy 3. Functional 4. Technical Identity Mgmt Leadership Group PASE Policy PASE User Interface PASE New Hires PASE Project Team 29

PASE Phase II (2005 - 06) • System development: – Service and entitlement engine – PASE interfaces: provisioners, connectors, user interfaces – Infrastructures • PASE policies and processes • Security framework 30

Relationship to Internet 2 Signet/Grouper • PASE predates Signet/Grouper efforts - not around when we got started in 2002/03 • PASE enterprise-wide system • PASE not a separate registry but integral to our UDS registry • Looking at Grouper APIs 31

Contact Info • Mairéad Martin mmartin 5@wisc. edu • Carrie Regenstein carrie@doit. wisc. edu carrie 1@cmu. edu 32

PASE Glossary • Affiliation: A person’s relationship to the institution. A person can have zero, one or many affiliations. An affiliation is similar to a role. • Authorization: Typically, authorization indicates what a person, properly authenticated, is permitted to do with a networked object or resource. • Entitlement: Association of an affiliation with a service. • Population: Registered persons or persons that can be identified by means of a Publicly Visible Identifier (PVI). 33

PASE Glossary • Service: One or more activities represented in business terms. A service can either be totally automated (e. g. , the mail system) or partially so (e. g. , Rec Sports). Services of interest to this project are protected by an authorization process. • Service Bundle: A set of one or more services. An example of this might be the bundle of services that all current members of the community get. In PASE, access privileges are defined by mapping one or more affiliations to a service bundle. • Service Entitlement: The specific, more granular, actions within a service, e. g. , Update student data. 34

PASE Glossary • Service Provider: The organizational entity responsible for a service. • Sponsor: The UW entity that proposes new affiliations possibly registers new groups of people into the UDS and possibly also defines a person’s affiliation(s). 35